Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 18
Dear all, I've 2 problem with my new network infrastructure (I think!) I show you a basic plan of my network. First problem: Sometimes I lost my internet connection... I ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Aug 2010
    Posts
    22

    Iptables and SYN-FLOOD attack


    Dear all,

    I've 2 problem with my new network infrastructure (I think!)
    I show you a basic plan of my network.

    First problem:
    Sometimes I lost my internet connection...
    I can ping outside but webpage didn't display and no mail reception on client...
    I've to restart the VPN router to make up the connection.
    When the VPN router was restared, it sending me an email with information that it has been attack since my internal 192.168.1.1 ip address!
    I've this POSTROUTING rules on my firewall

    iptables -t nat -A POSTROUTING -o $I_RT -j MASQUERADE #I_RT is eth0 with 192.168.1.1 address

    I don't know how to resolve this problem. I had some syn-flood attack prevent but they didn't work...


    2nd problem:
    I drop all before allow my rules one by one.
    I allow my script to forward client request to http, https, pop, smtp and it's work fine.
    But I can't give access on internet since my firewall. I try many setting with INPUT and OUTPUT rules but nothings work...

    Have you an idea for a good configuration to allow my firewall to access on web?

    Thanks for your help!
    Attached Images Attached Images

  2. #2
    Just Joined!
    Join Date
    Aug 2010
    Posts
    22
    Nobody have any idea about this SYN-FLOOD attack?
    Did it come from my POSTROUTING rule which give 192.168.1.1 to all request from my clients lan?I did'nt any other idea...

  3. #3
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    OK, how are you writing your firewall rules? Order palys a big role as they are read first-in first-executed or top down. How are you blocking before you allow? Use the code tags and post your firewall rules then maybe I can help you.

    You can look at this TUTORIAL a while if you'd like.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  4. #4
    Just Joined!
    Join Date
    Aug 2010
    Posts
    22
    Thanks for your response!
    I know that order have is important and I think in my script I've some problem with this...
    I block all and autohried one by one. I join you my script and hope you will see something!
    Thanks for your help

    Code:
    echo "############################################################"
    echo "#Firewall Initilization#####################################"
    echo "#V1.8 - 18/08/2010##########################################"
    ##################################################################
    #Network Interfaces
    I_RT="eth0"
    I_SRV="eth1"
    I_CLT="eth2"
    
    #IP Firewall interfaces
    IP_RT="192.168.1.1"
    IP_SRV="192.168.2.1"
    IP_CLT="192.168.3.1"
    
    #Network
    LAN_RT="192.168.1.0/24"
    LAN_SRV="192.168.2.0/24"
    LAN_CLT="192.168.3.0/24"
    
    #IP
    #IP_SW="192.168.2.5 192.168.3.5 192.168.3.6"
    IP_ADMIN="192.168.3.10 192.168.3.11 192.168.3.12 192.168.2.240"
    IP_VMW1="192.168.2.10"
    IP_DNS="192.168.2.21"
    IP_AD="192.168.2.21"
    IP_LIMS="192.168.2.22"
    IP_BACKUP="192.168.2.23"
    IP_WSUS="192.168.2.24"
    IP_NAS="192.168.2.25"
    IP_SPOT="192.168.2.27"
    
    #LIMS Pinters
    IMP_LIMS="192.168.3.210 192.168.3.211 192.168.3.212"
    IMP_DESK="192.168.2.200 192.168.2.201"
    
    GRP_SSH="192.168.2.22 192.168.2.23"
    
    DNS_ISP="212.27.40.240 212.27.40.240"
    
    #POP and SMTP
    SRV_POP="212.227.15.140 212.227.15.156 64.202.165.92"
    SRV_SMTP="212.227.15.168 212.227.15.184 66.245.241.38"
    
    INTERNET="192.168.3.0/24 192.168.2.24"
    
    NTP="194.57.169.1"
    
    
    #BANNED IP
    IP_RESERVED="0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 3.0.0.0/8 4.0.0.0/8 5.0.0.0/8 7.0.0.0/8 10.0.0.0/8 14.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8
    36.0.0.0/8 37.0.0.0/8 39.0.0.0/8 41.0.0.0/8 42.0.0.0/8 58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8
    74.0.0.0/8 75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 79.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 88.0.0.0/8
    89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8 100.0.0.0/8
    101.0.0.0/8 102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 107.0.0.0/8 108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8
    112.0.0.0/8 113.0.0.0/8 114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 119.0.0.0/8 120.0.0.0/8 121.0.0.0/8 122.0.0.0/8
    123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 126.0.0.0/8 169.254.0.0/16 172.16.0.0/12 173.0.0.0/8 174.0.0.0/8 175.0.0.0/8
    176.0.0.0/8 177.0.0.0/8 178.0.0.0/8 179.0.0.0/8 180.0.0.0/8 181.0.0.0/8 182.0.0.0/8 183.0.0.0/8 184.0.0.0/8 185.0.0.0/8 186.0.0.0/8
    187.0.0.0/8 189.0.0.0/8 190.0.0.0/8 197.0.0.0/8 222.0.0.0/8 223.0.0.0/8 224.0.0.0/8 225.0.0.0/8 226.0.0.0/8 227.0.0.0/8
    228.0.0.0/8 229.0.0.0/8 230.0.0.0/8 231.0.0.0/8 232.0.0.0/8 233.0.0.0/8 234.0.0.0/8 235.0.0.0/8 236.0.0.0/8 237.0.0.0/8 238.0.0.0/8
    239.0.0.0/8 240.0.0.0/8 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8 245.0.0.0/8 246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8
    250.0.0.0/8 251.0.0.0/8 252.0.0.0/8 253.0.0.0/8 254.0.0.0/8 255.0.0.0/8" 
    
    #Default rules
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP
    
    #Flush all rules
    iptables -F
    iptables -X
    iptables -Z
    iptables -F INPUT
    iptables -F OUTPUT
    iptables -F FORWARD
    iptables -t nat -F
    iptables -t nat -X
    iptables -t nat -Z
    
    
    ###########################################################
    echo "#Network services###########################################"
    ###########################################################
    #Routing (active at the end)
    echo "0" > /proc/sys/net/ipv4/ip_forward
    
    #Process easily down
    echo "0" > /proc/sys/net/ipv4/conf/all/secure_redirects
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
    echo "0" > /proc/sys/net/ipv4/conf/default/secure_redirects
    echo "0" > /proc/sys/net/ipv4/conf/default/accept_redirects
    echo "0" > /proc/sys/net/ipv4/conf/default/accept_source_route
    
    #ICMP attack
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
    
    #Spoofing attack
    echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
    echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter
    
    #Syn-flood attack
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
    
    #Bigger packets than the RFC
    echo "1" > /proc/sys/net/ipv4/tcp_timestamps
    
    #Less deconnection time of TCP
    echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
    
    #Less time life of packets
    echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time
    
    #Closed port > 655535 in windows
    echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
    
    #Send only lost packets
    echo "0" > /proc/sys/net/ipv4/tcp_sack 
    
    
    ###########################################################
    echo "#Logs rules#################################################"
    ###########################################################
    
    
    
    ###########################################################
    echo "#Shared rules###############################################"
    ###########################################################
    #IP BANNED
    for reserved in $IP_RESERVED; do 
    		iptables -A INPUT -i $I_RT -s $reserved -j DROP
    		iptables -A FORWARD -i $I_RT -s $reserved -j DROP
    done
     
    #Ignore invalid packets
    iptables -A INPUT -m state --state INVALID -j DROP
    iptables -A OUTPUT -m state --state INVALID -j DROP
    iptables -A FORWARD -m state --state INVALID -j DROP
    
    #Block scan ports
    iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
    iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
    iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
    iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP
    iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
    iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
    iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
    
    #Prevent some attacks
    iptables -A INPUT -i $IP_CLT -p tcp -m multiport --sport 20,21,22,23,25,53,80,110,143,443,993,995 -j DROP
    iptables -A INPUT -p tcp --sport 0 -j DROP
    iptables -A INPUT -p udp --sport 0 -j DROP
    iptables -A INPUT -p tcp --dport 0 -j DROP
    iptables -A INPUT -p udp --dport 0 -j DROP
    
    iptables -N syn-flood
    iptables -A syn-flood -m limit --limit 5/s --limit-burst 4 -j ACCEPT
    iptables -A syn-flood -j DROP
    iptables -A INPUT -i $I_RT -p tcp --syn -j syn-flood
    iptables -A INPUT -i $I_CLT -p tcp ! --syn -m state --state NEW -j DROP
    iptables -A FORWARD -p tcp --syn -m limit --limit 5/s -j ACCEPT
    iptables -A FORWARD -p udp -m limit --limit 5/s -j ACCEPT
    
    #NAT (Masquerade)
    iptables -t nat -A POSTROUTING -o $I_RT -j MASQUERADE
    
    #Localhost
    iptables -I INPUT -i lo -j ACCEPT
    iptables -I OUTPUT -o lo -j ACCEPT
    
    #Allow Ping from Admin to firewall (better configuration coming)
    for adm_ping in $IP_ADMIN; do
    		iptables -I INPUT -p icmp -s $adm_ping -j ACCEPT
    		iptables -I OUTPUT -p icmp -d $adm_ping -j ACCEPT
    done
    
    #Autorised current connection
    iptables -I INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -I OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -I FORWARD -i $I_CLT -o $I_SRV -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -I FORWARD -i $I_SRV -o $I_CLT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    ###########################################################
    echo "#Rules on LAN_SRV###########################################"
    ###########################################################
    #SSH & SCP
    for adm_ssh in $IP_ADMIN; do 
    		iptables -I INPUT -p tcp -s $adm_ssh --sport 1024:65535 -d $IP_SRV --dport 324 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    		iptables -I OUTPUT -p tcp -s $IP_SRV --sport 324 -d $adm_ssh --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
    done
    
    
    ###########################################################
    echo "#Rules on LAN_RT############################################"
    ###########################################################
    #DNS
    for rt_dns in $DNS_ISP; do
    iptables -A OUTPUT -p udp --sport 1024:65535 -d $rt_dns --dport 53 -j ACCEPT
    iptables -A INPUT -p udp -s $rt_dns --sport 53 --dport 1024:65535 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 1024:65535 -d $rt_dns --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -p tcp -s $rt_dns --sport 53 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
    done
    
    iptables -A OUTPUT -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    
    ###########################################################
    echo "#Forward servers request####################################"
    ###########################################################
    
    ###################
    #NTP server
    for ntp in $NTP; do
            iptables -I FORWARD -p udp -s $IP_WSUS --sport 1024:65535 -d $ntp --dport 123 -j ACCEPT
            iptables -I FORWARD -p udp -s $ntp --sport 123 -d $IP_WSUS --dport 1024:65535 -j ACCEPT
    done
    ###################
    
    
    ###########################################################
    echo "#Forward clients request##############################"
    ###########################################################
    #Allow PING for Admin
    for ping_adm in $IP_ADMIN; do
                 iptables -A FORWARD -p icmp -s $ping_adm -j ACCEPT
                 iptables -A FORWARD -p icmp -d $ping_adm -j ACCEPT
    done
    
    ###################
    #Allow clients ping on AD (necessary for GPO)
    iptables -A FORWARD -p icmp -s $LAN_CLT -d $IP_AD -j ACCEPT
    iptables -A FORWARD -p icmp -s $IP_AD -d $LAN_CLT -j ACCEPT
    
    #Active Directory
    iptables -I FORWARD -p tcp -s $LAN_CLT --sport 1024:65535 -d $IP_AD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -I FORWARD -p tcp -s $IP_AD -d $LAN_CLT --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -I FORWARD -p udp -s $LAN_CLT --sport 1024:65535 -d $IP_AD -j ACCEPT
    iptables -I FORWARD -p udp -s $IP_AD -d $LAN_CLT --dport 1024:65535 -j ACCEPT
    
    iptables -I FORWARD -p tcp -s $LAN_DEBR --sport 1024:65535 -d $IP_AD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -I FORWARD -p tcp -s $IP_AD -d $LAN_DEBR --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -I FORWARD -p udp -s $LAN_DEBR --sport 1024:65535 -d $IP_AD -j ACCEPT
    iptables -I FORWARD -p udp -s $IP_AD -d $LAN_DEBR --dport 1024:65535 -j ACCEPT
    ###################
    
    ###################
    #DNS (Interne)
    iptables -I FORWARD -p tcp -s $LAN_CLT --sport 1024:65535 -d $IP_DNS --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -I FORWARD -p tcp -s $IP_DNS --sport 53 -d $LAN_CLT --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -I FORWARD -p udp -s $LAN_CLT --sport 1024:65535 -d $IP_DNS --dport 53 -j ACCEPT
    iptables -I FORWARD -p udp -s $IP_DNS --sport 53 -d $LAN_CLT --dport 1024:65535 -j ACCEPT
    
    #DNS (ISP)
    for dns_srv in $DNS_ISP; do
        for int in $INTERNET; do
            iptables -I FORWARD -p tcp -s $int --sport 1024:65535 -d $dns_srv --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
            iptables -I FORWARD -p tcp -s $dns_srv --sport 53 -d $int --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
            iptables -I FORWARD -p udp -s $int --sport 1024:65535 -d $dns_srv --dport 53 -j ACCEPT
            iptables -I FORWARD -p udp -s $dns_srv --sport 53 -d $int --dport 1024:65535 -j ACCEPT
        done
    done
    ###################
    
    ###################
    #Internet (80/443)
    for int in $INTERNET; do
    		iptables -I FORWARD -p tcp -s $int --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    		iptables -I FORWARD -p tcp --sport 80 -d $int --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
    		iptables -I FORWARD -p tcp -s $int --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    		iptables -I FORWARD -p tcp --sport 443 -d $int --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
    done
    ###################
    
    ###################
    #LIMS
    iptables -I FORWARD -p tcp -s $LAN_CLT --sport 1024:65535 -d $IP_LIMS --dport 8080 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -I FORWARD -p tcp -s $IP_LIMS --sport 8080 -d $LAN_CLT --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    #Entreprise Manager for Oracle
    for ip_adm in $IP_ADMIN; do
    		iptables -I FORWARD -p tcp -s $ip_adm --sport 1024:65535 -d $IP_LIMS --dport 1158 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    		iptables -I FORWARD -p tcp -s $IP_LIMS --sport 1158 -d $ip_adm --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
    done
    
    #LIMS pinters
    for imp_lims in $IMP_LIMS; do
    		iptables -A FORWARD -p tcp -s $IP_LIMS --sport 1024:65535 -d $imp_lims --dport 9100 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    done
    
    #Spectro.bat app
    iptables -A FORWARD -p tcp -s $LAN_CLT --sport 1024:65535 -d $IP_LIMS --dport 1099 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -p tcp -s $IP_LIMS --sport 1099 -d $LAN_CLT --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -p udp -s $LAN_CLT --sport 1024:65535 -d $IP_LIMS --dport 1099 -j ACCEPT
    iptables -A FORWARD -p udp -s $IP_LIMS --sport 1099 -d $LAN_CLT --dport 1024:65535 -j ACCEPT
    ###################
    
    ###################
    #SSH
    for ip in $IP_ADMIN; do 
    		for ssh in $GRP_SSH; do
    				iptables -I FORWARD -p tcp -s $ip --sport 1024:65535 -d $ssh --dport 324 -m state --state ESTABLISHE,RELATED -j ACCEPT
    				iptables -I FORWARD -p tcp -s $ssh --sport 324 -d $ip --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    		done
    done
    ###################
    
    ###################
    #Mail (SMTP & POP)
    for pop in $SRV_POP; do
    		iptables -I FORWARD -p tcp -s $LAN_CLT --sport 1024:65535 -d $pop --dport 110 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    		iptables -I FORWARD -p tcp -s $pop --sport 110 -d $LAN_CLT --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
    done
    
    for smtp in $SRV_SMTP; do
    		iptables -I FORWARD -p tcp -s $LAN_CLT --sport 1024:65535 -d $smtp --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    		iptables -I FORWARD -p tcp -s $smtp --sport 25 -d $LAN_CLT --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
    done
    
    for smtp in $SRV_SMTP; do
    		iptables -I FORWARD -p tcp -s $LAN_CLT --sport 1024:65535 -d $smtp --dport 587 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    		iptables -I FORWARD -p tcp -s $smtp --sport 587 -d $LAN_CLT --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
    done
    ###################
    
    ###################
    #BSI-WSUS (WSUS)
    iptables -A FORWARD -p tcp -s $LAN_CLT --sport 1024:65535 -d $IP_WSUS --dport 8530 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -p tcp -s $IP_WSUS --sport 8530 -d $LAN_CLT --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    #BSI-WSUS (Order + BaseBSI)
    iptables -A FORWARD -p tcp -s $LAN_CLT --sport 1024:65535 -d $IP_WSUS --dport 500 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -p tcp -s $IP_WSUS --sport 500 -d $LAN_CLT --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    #BSI-WSUS (Spool printer)
    iptables -A FORWARD -p tcp -s $LAN_CLT --sport 1024:65535 -d $IP_WSUS --dport 9100 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    #iptables -A FORWARD -p tcp -s $LAN_CLT --sport 1024:65535 -d $IP_WSUS --dport 515 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    
    #BSI-WSUS (Origin)
    iptables -A FORWARD -p tcp -s $LAN_CLT --sport 1024:65535 -d $IP_WSUS --dport 61616 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -p tcp -s $IP_WSUS --sport 61616 -d $LAN_CLT --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -p udp -s $LAN_CLT --sport 1024:65535 -d $IP_WSUS --dport 61616 -j ACCEPT
    iptables -A FORWARD -p udp -s $IP_WSUS --sport 61616 -d $LAN_CLT --dport 1024:65535 -j ACCEPT
    
    #BSI-WSUS (Symantec Enpoint Protection)
    iptables -I FORWARD -p tcp -s $LAN_CLT --sport 1024:65535 -d $IP_WSUS --dport 8014 -j ACCEPT
    iptables -I FORWARD -p tcp -s $IP_WSUS --sport 8014 -d $LAN_CLT --dport 1024:65535 -j ACCEPT
    
    #BSI-WSUS (NTP)
    iptables -I FORWARD -p udp -s $LAN_CLT --sport 1024:65535 -d $IP_WSUS --dport 123 -j ACCEPT
    iptables -I FORWARD -p udp -s $IP_WSUS --sport 123 -d $LAN_CLT --dport 1024:65535 -j ACCEPT
    ###################
    
    ###################
    #BSI-NAS (WEB interface)
    for ip_nas in $IP_ADMIN; do 
    		iptables -A FORWARD -p tcp -s $ip_nas --sport 1024:65535 -d $IP_NAS --dport 446 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    		iptables -A FORWARD -p tcp -s $IP_NAS --sport 446 -d $ip_nas --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
    done
    ###################
    
    ###################
    #Spotfire
    iptables -A FORWARD -p tcp -s $LAN_CLT --sport 1024:65535 -d $IP_SPOT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -p tcp -s $IP_SPOT -d $LAN_CLT --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -p udp -s $LAN_CLT --sport 1024:65535 -d $IP_SPOT -j ACCEPT
    iptables -A FORWARD -p udp -s $IP_SPOT -d $LAN_CLT --dport 1024:65535 -j ACCEPT
    ###################
    
    
    ###########################################################
    echo "#Routing activation#########################################"
    ###########################################################
    echo "1" > /proc/sys/net/ipv4/ip_forward
    
    
    ###########################################################
    echo "#End of firewall initialization#############################"
    echo "############################################################"

  5. #5
    Just Joined!
    Join Date
    Aug 2010
    Posts
    22
    I lost my connection again..
    I've restarted my router and it's up again...
    I again receive a mail form router too about a syn-flood attack from my 192.168.1.1 IP address.

    I join the resultat of his command:
    iptables -L > iptables.log

    Code:
    Chain INPUT (policy DROP)
    num  target     prot opt source               destination         
    1    ACCEPT     tcp  --  192.168.2.240        192.168.2.1         tcp spts:1024:65535 dpt:324 state NEW,RELATED,ESTABLISHED 
    2    ACCEPT     tcp  --  192.168.3.12         192.168.2.1         tcp spts:1024:65535 dpt:324 state NEW,RELATED,ESTABLISHED 
    3    ACCEPT     tcp  --  192.168.3.11         192.168.2.1         tcp spts:1024:65535 dpt:324 state NEW,RELATED,ESTABLISHED 
    4    ACCEPT     tcp  --  192.168.3.10         192.168.2.1         tcp spts:1024:65535 dpt:324 state NEW,RELATED,ESTABLISHED 
    5    ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED 
    6    ACCEPT     icmp --  192.168.2.240        anywhere            icmp echo-request 
    7    ACCEPT     icmp --  192.168.3.12         anywhere            icmp echo-request 
    8    ACCEPT     icmp --  192.168.3.11         anywhere            icmp echo-request 
    9    ACCEPT     icmp --  192.168.3.10         anywhere            icmp echo-request 
    10   ACCEPT     all  --  anywhere             anywhere            
    11   DROP       all  --  0.0.0.0/8            anywhere            
    12   DROP       all  --  1.0.0.0/8            anywhere            
    13   DROP       all  --  2.0.0.0/8            anywhere            
    14   DROP       all  --  3.0.0.0/8            anywhere            
    15   DROP       all  --  4.0.0.0/8            anywhere            
    16   DROP       all  --  5.0.0.0/8            anywhere            
    17   DROP       all  --  7.0.0.0/8            anywhere            
    18   DROP       all  --  10.0.0.0/8           anywhere            
    19   DROP       all  --  14.0.0.0/8           anywhere            
    20   DROP       all  --  23.0.0.0/8           anywhere            
    21   DROP       all  --  27.0.0.0/8           anywhere            
    22   DROP       all  --  31.0.0.0/8           anywhere            
    23   DROP       all  --  36.0.0.0/8           anywhere            
    24   DROP       all  --  37.0.0.0/8           anywhere            
    25   DROP       all  --  39.0.0.0/8           anywhere            
    26   DROP       all  --  41.0.0.0/8           anywhere            
    27   DROP       all  --  42.0.0.0/8           anywhere            
    28   DROP       all  --  58.0.0.0/8           anywhere            
    29   DROP       all  --  59.0.0.0/8           anywhere            
    30   DROP       all  --  60.0.0.0/8           anywhere            
    31   DROP       all  --  70.0.0.0/8           anywhere            
    32   DROP       all  --  71.0.0.0/8           anywhere            
    33   DROP       all  --  72.0.0.0/8           anywhere            
    34   DROP       all  --  73.0.0.0/8           anywhere            
    35   DROP       all  --  74.0.0.0/8           anywhere            
    36   DROP       all  --  75.0.0.0/8           anywhere            
    37   DROP       all  --  76.0.0.0/8           anywhere            
    38   DROP       all  --  77.0.0.0/8           anywhere            
    39   DROP       all  --  78.0.0.0/8           anywhere            
    40   DROP       all  --  79.0.0.0/8           anywhere            
    41   DROP       all  --  83.0.0.0/8           anywhere            
    42   DROP       all  --  84.0.0.0/8           anywhere            
    43   DROP       all  --  85.0.0.0/8           anywhere            
    44   DROP       all  --  86.0.0.0/8           anywhere            
    45   DROP       all  --  87.0.0.0/8           anywhere            
    46   DROP       all  --  88.0.0.0/8           anywhere            
    47   DROP       all  --  89.0.0.0/8           anywhere            
    48   DROP       all  --  90.0.0.0/8           anywhere            
    49   DROP       all  --  91.0.0.0/8           anywhere            
    50   DROP       all  --  92.0.0.0/8           anywhere            
    51   DROP       all  --  93.0.0.0/8           anywhere            
    52   DROP       all  --  94.0.0.0/8           anywhere            
    53   DROP       all  --  95.0.0.0/8           anywhere            
    54   DROP       all  --  96.0.0.0/8           anywhere            
    55   DROP       all  --  97.0.0.0/8           anywhere            
    56   DROP       all  --  98.0.0.0/8           anywhere            
    57   DROP       all  --  99.0.0.0/8           anywhere            
    58   DROP       all  --  100.0.0.0/8          anywhere            
    59   DROP       all  --  101.0.0.0/8          anywhere            
    60   DROP       all  --  102.0.0.0/8          anywhere            
    61   DROP       all  --  103.0.0.0/8          anywhere            
    62   DROP       all  --  104.0.0.0/8          anywhere            
    63   DROP       all  --  105.0.0.0/8          anywhere            
    64   DROP       all  --  106.0.0.0/8          anywhere            
    65   DROP       all  --  107.0.0.0/8          anywhere            
    66   DROP       all  --  108.0.0.0/8          anywhere            
    67   DROP       all  --  109.0.0.0/8          anywhere            
    68   DROP       all  --  110.0.0.0/8          anywhere            
    69   DROP       all  --  111.0.0.0/8          anywhere            
    70   DROP       all  --  112.0.0.0/8          anywhere            
    71   DROP       all  --  113.0.0.0/8          anywhere            
    72   DROP       all  --  114.0.0.0/8          anywhere            
    73   DROP       all  --  115.0.0.0/8          anywhere            
    74   DROP       all  --  116.0.0.0/8          anywhere            
    75   DROP       all  --  117.0.0.0/8          anywhere            
    76   DROP       all  --  118.0.0.0/8          anywhere            
    77   DROP       all  --  119.0.0.0/8          anywhere            
    78   DROP       all  --  120.0.0.0/8          anywhere            
    79   DROP       all  --  121.0.0.0/8          anywhere            
    80   DROP       all  --  122.0.0.0/8          anywhere            
    81   DROP       all  --  123.0.0.0/8          anywhere            
    82   DROP       all  --  124.0.0.0/8          anywhere            
    83   DROP       all  --  125.0.0.0/8          anywhere            
    84   DROP       all  --  126.0.0.0/8          anywhere            
    85   DROP       all  --  169.254.0.0/16       anywhere            
    86   DROP       all  --  172.16.0.0/12        anywhere            
    87   DROP       all  --  173.0.0.0/8          anywhere            
    88   DROP       all  --  174.0.0.0/8          anywhere            
    89   DROP       all  --  175.0.0.0/8          anywhere            
    90   DROP       all  --  176.0.0.0/8          anywhere            
    91   DROP       all  --  177.0.0.0/8          anywhere            
    92   DROP       all  --  178.0.0.0/8          anywhere            
    93   DROP       all  --  179.0.0.0/8          anywhere            
    94   DROP       all  --  180.0.0.0/8          anywhere            
    95   DROP       all  --  181.0.0.0/8          anywhere            
    96   DROP       all  --  182.0.0.0/8          anywhere            
    97   DROP       all  --  183.0.0.0/8          anywhere            
    98   DROP       all  --  184.0.0.0/8          anywhere            
    99   DROP       all  --  185.0.0.0/8          anywhere            
    100  DROP       all  --  186.0.0.0/8          anywhere            
    101  DROP       all  --  187.0.0.0/8          anywhere            
    102  DROP       all  --  189.0.0.0/8          anywhere            
    103  DROP       all  --  190.0.0.0/8          anywhere            
    104  DROP       all  --  197.0.0.0/8          anywhere            
    105  DROP       all  --  222.0.0.0/8          anywhere            
    106  DROP       all  --  223.0.0.0/8          anywhere            
    107  DROP       all  --  224.0.0.0/8          anywhere            
    108  DROP       all  --  225.0.0.0/8          anywhere            
    109  DROP       all  --  226.0.0.0/8          anywhere            
    110  DROP       all  --  227.0.0.0/8          anywhere            
    111  DROP       all  --  228.0.0.0/8          anywhere            
    112  DROP       all  --  229.0.0.0/8          anywhere            
    113  DROP       all  --  230.0.0.0/8          anywhere            
    114  DROP       all  --  231.0.0.0/8          anywhere            
    115  DROP       all  --  232.0.0.0/8          anywhere            
    116  DROP       all  --  233.0.0.0/8          anywhere            
    117  DROP       all  --  234.0.0.0/8          anywhere            
    118  DROP       all  --  235.0.0.0/8          anywhere            
    119  DROP       all  --  236.0.0.0/8          anywhere            
    120  DROP       all  --  237.0.0.0/8          anywhere            
    121  DROP       all  --  238.0.0.0/8          anywhere            
    122  DROP       all  --  239.0.0.0/8          anywhere            
    123  DROP       all  --  240.0.0.0/8          anywhere            
    124  DROP       all  --  241.0.0.0/8          anywhere            
    125  DROP       all  --  242.0.0.0/8          anywhere            
    126  DROP       all  --  243.0.0.0/8          anywhere            
    127  DROP       all  --  244.0.0.0/8          anywhere            
    128  DROP       all  --  245.0.0.0/8          anywhere            
    129  DROP       all  --  246.0.0.0/8          anywhere            
    130  DROP       all  --  247.0.0.0/8          anywhere            
    131  DROP       all  --  248.0.0.0/8          anywhere            
    132  DROP       all  --  249.0.0.0/8          anywhere            
    133  DROP       all  --  250.0.0.0/8          anywhere            
    134  DROP       all  --  251.0.0.0/8          anywhere            
    135  DROP       all  --  252.0.0.0/8          anywhere            
    136  DROP       all  --  253.0.0.0/8          anywhere            
    137  DROP       all  --  254.0.0.0/8          anywhere            
    138  DROP       all  --  255.0.0.0/8          anywhere            
    139  DROP       all  --  anywhere             anywhere            state INVALID 
    140  DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG 
    141  DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG 
    142  DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG 
    143  DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN 
    144  DROP       tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN,RST 
    145  DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN/FIN,SYN 
    146  DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 
    147  DROP       tcp  --  anywhere             anywhere            multiport sports ftp-data,ftp,ssh,telnet,smtp,domain,http,pop3,imap,https,imaps,pop3s 
    148  DROP       tcp  --  anywhere             anywhere            tcp spt:0 
    149  DROP       udp  --  anywhere             anywhere            udp spt:0 
    150  DROP       tcp  --  anywhere             anywhere            tcp dpt:0 
    151  DROP       udp  --  anywhere             anywhere            udp dpt:0 
    152  syn-flood  tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN 
    153  DROP       tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW 
    154  ACCEPT     udp  --  212.27.40.240        anywhere            udp spt:domain dpts:1024:65535 
    155  ACCEPT     tcp  --  212.27.40.240        anywhere            tcp spt:domain dpts:1024:65535 state RELATED,ESTABLISHED 
    156  ACCEPT     udp  --  212.27.40.240        anywhere            udp spt:domain dpts:1024:65535 
    157  ACCEPT     tcp  --  212.27.40.240        anywhere            tcp spt:domain dpts:1024:65535 state RELATED,ESTABLISHED 
    158  ACCEPT     tcp  --  anywhere             anywhere            tcp spt:http dpts:1024:65535 state RELATED,ESTABLISHED 
    
    Chain FORWARD (policy DROP)
    num  target     prot opt source               destination         
    1    ACCEPT     udp  --  192.168.2.24         192.168.3.0/24      udp spt:ntp dpts:1024:65535 
    2    ACCEPT     udp  --  192.168.3.0/24       192.168.2.24        udp spts:1024:65535 dpt:ntp 
    3    ACCEPT     tcp  --  192.168.2.24         192.168.3.0/24      tcp spt:8014 dpts:1024:65535 
    4    ACCEPT     tcp  --  192.168.3.0/24       192.168.2.24        tcp spts:1024:65535 dpt:8014 
    5    ACCEPT     tcp  --  66.245.241.38        192.168.3.0/24      tcp spt:submission dpts:1024:65535 state RELATED,ESTABLISHED 
    6    ACCEPT     tcp  --  192.168.3.0/24       66.245.241.38       tcp spts:1024:65535 dpt:submission state NEW,RELATED,ESTABLISHED 
    7    ACCEPT     tcp  --  212.227.15.184       192.168.3.0/24      tcp spt:submission dpts:1024:65535 state RELATED,ESTABLISHED 
    8    ACCEPT     tcp  --  192.168.3.0/24       212.227.15.184      tcp spts:1024:65535 dpt:submission state NEW,RELATED,ESTABLISHED 
    9    ACCEPT     tcp  --  212.227.15.168       192.168.3.0/24      tcp spt:submission dpts:1024:65535 state RELATED,ESTABLISHED 
    10   ACCEPT     tcp  --  192.168.3.0/24       212.227.15.168      tcp spts:1024:65535 dpt:submission state NEW,RELATED,ESTABLISHED 
    11   ACCEPT     tcp  --  66.245.241.38        192.168.3.0/24      tcp spt:smtp dpts:1024:65535 state RELATED,ESTABLISHED 
    12   ACCEPT     tcp  --  192.168.3.0/24       66.245.241.38       tcp spts:1024:65535 dpt:smtp state NEW,RELATED,ESTABLISHED 
    13   ACCEPT     tcp  --  212.227.15.184       192.168.3.0/24      tcp spt:smtp dpts:1024:65535 state RELATED,ESTABLISHED 
    14   ACCEPT     tcp  --  192.168.3.0/24       212.227.15.184      tcp spts:1024:65535 dpt:smtp state NEW,RELATED,ESTABLISHED 
    15   ACCEPT     tcp  --  212.227.15.168       192.168.3.0/24      tcp spt:smtp dpts:1024:65535 state RELATED,ESTABLISHED 
    16   ACCEPT     tcp  --  192.168.3.0/24       212.227.15.168      tcp spts:1024:65535 dpt:smtp state NEW,RELATED,ESTABLISHED 
    17   ACCEPT     tcp  --  64.202.165.92        192.168.3.0/24      tcp spt:pop3 dpts:1024:65535 state RELATED,ESTABLISHED 
    18   ACCEPT     tcp  --  192.168.3.0/24       64.202.165.92       tcp spts:1024:65535 dpt:pop3 state NEW,RELATED,ESTABLISHED 
    19   ACCEPT     tcp  --  212.227.15.156       192.168.3.0/24      tcp spt:pop3 dpts:1024:65535 state RELATED,ESTABLISHED 
    20   ACCEPT     tcp  --  192.168.3.0/24       212.227.15.156      tcp spts:1024:65535 dpt:pop3 state NEW,RELATED,ESTABLISHED 
    21   ACCEPT     tcp  --  212.227.15.140       192.168.3.0/24      tcp spt:pop3 dpts:1024:65535 state RELATED,ESTABLISHED 
    22   ACCEPT     tcp  --  192.168.3.0/24       212.227.15.140      tcp spts:1024:65535 dpt:pop3 state NEW,RELATED,ESTABLISHED 
    23   ACCEPT     tcp  --  192.168.2.23         192.168.2.240       tcp spt:324 dpts:1024:65535 state NEW,RELATED,ESTABLISHED 
    24   ACCEPT     tcp  --  192.168.2.240        192.168.2.23        tcp spts:1024:65535 dpt:324 state RELATED,ESTABLISHED 
    25   ACCEPT     tcp  --  192.168.2.22         192.168.2.240       tcp spt:324 dpts:1024:65535 state NEW,RELATED,ESTABLISHED 
    26   ACCEPT     tcp  --  192.168.2.240        192.168.2.22        tcp spts:1024:65535 dpt:324 state RELATED,ESTABLISHED 
    27   ACCEPT     tcp  --  192.168.2.23         192.168.3.12        tcp spt:324 dpts:1024:65535 state NEW,RELATED,ESTABLISHED 
    28   ACCEPT     tcp  --  192.168.3.12         192.168.2.23        tcp spts:1024:65535 dpt:324 state RELATED,ESTABLISHED 
    29   ACCEPT     tcp  --  192.168.2.22         192.168.3.12        tcp spt:324 dpts:1024:65535 state NEW,RELATED,ESTABLISHED 
    30   ACCEPT     tcp  --  192.168.3.12         192.168.2.22        tcp spts:1024:65535 dpt:324 state RELATED,ESTABLISHED 
    31   ACCEPT     tcp  --  192.168.2.23         192.168.3.11        tcp spt:324 dpts:1024:65535 state NEW,RELATED,ESTABLISHED 
    32   ACCEPT     tcp  --  192.168.3.11         192.168.2.23        tcp spts:1024:65535 dpt:324 state RELATED,ESTABLISHED 
    33   ACCEPT     tcp  --  192.168.2.22         192.168.3.11        tcp spt:324 dpts:1024:65535 state NEW,RELATED,ESTABLISHED 
    34   ACCEPT     tcp  --  192.168.3.11         192.168.2.22        tcp spts:1024:65535 dpt:324 state RELATED,ESTABLISHED 
    35   ACCEPT     tcp  --  192.168.2.23         192.168.3.10        tcp spt:324 dpts:1024:65535 state NEW,RELATED,ESTABLISHED 
    36   ACCEPT     tcp  --  192.168.3.10         192.168.2.23        tcp spts:1024:65535 dpt:324 state RELATED,ESTABLISHED 
    37   ACCEPT     tcp  --  192.168.2.22         192.168.3.10        tcp spt:324 dpts:1024:65535 state NEW,RELATED,ESTABLISHED 
    38   ACCEPT     tcp  --  192.168.3.10         192.168.2.22        tcp spts:1024:65535 dpt:324 state RELATED,ESTABLISHED 
    39   ACCEPT     tcp  --  192.168.2.22         192.168.2.240       tcp spt:dbcontrol-oms dpts:1024:65535 state RELATED,ESTABLISHED 
    40   ACCEPT     tcp  --  192.168.2.240        192.168.2.22        tcp spts:1024:65535 dpt:dbcontrol-oms state NEW,RELATED,ESTABLISHED 
    41   ACCEPT     tcp  --  192.168.2.22         192.168.3.12        tcp spt:dbcontrol-oms dpts:1024:65535 state RELATED,ESTABLISHED 
    42   ACCEPT     tcp  --  192.168.3.12         192.168.2.22        tcp spts:1024:65535 dpt:dbcontrol-oms state NEW,RELATED,ESTABLISHED 
    43   ACCEPT     tcp  --  192.168.2.22         192.168.3.11        tcp spt:dbcontrol-oms dpts:1024:65535 state RELATED,ESTABLISHED 
    44   ACCEPT     tcp  --  192.168.3.11         192.168.2.22        tcp spts:1024:65535 dpt:dbcontrol-oms state NEW,RELATED,ESTABLISHED 
    45   ACCEPT     tcp  --  192.168.2.22         192.168.3.10        tcp spt:dbcontrol-oms dpts:1024:65535 state RELATED,ESTABLISHED 
    46   ACCEPT     tcp  --  192.168.3.10         192.168.2.22        tcp spts:1024:65535 dpt:dbcontrol-oms state NEW,RELATED,ESTABLISHED 
    47   ACCEPT     tcp  --  192.168.2.22         192.168.158.0/24    tcp spt:webcache state RELATED,ESTABLISHED 
    48   ACCEPT     tcp  --  192.168.158.0/24     192.168.2.22        tcp dpt:webcache state NEW,RELATED,ESTABLISHED 
    49   ACCEPT     tcp  --  192.168.2.22         192.168.3.0/24      tcp spt:webcache dpts:1024:65535 state RELATED,ESTABLISHED 
    50   ACCEPT     tcp  --  192.168.3.0/24       192.168.2.22        tcp spts:1024:65535 dpt:webcache state NEW,RELATED,ESTABLISHED 
    51   ACCEPT     tcp  --  anywhere             192.168.2.24        tcp spt:https dpts:1024:65535 state RELATED,ESTABLISHED 
    52   ACCEPT     tcp  --  192.168.2.24         anywhere            tcp spts:1024:65535 dpt:https state NEW,RELATED,ESTABLISHED 
    53   ACCEPT     tcp  --  anywhere             192.168.2.24        tcp spt:http dpts:1024:65535 state RELATED,ESTABLISHED 
    54   ACCEPT     tcp  --  192.168.2.24         anywhere            tcp spts:1024:65535 dpt:http state NEW,RELATED,ESTABLISHED 
    55   ACCEPT     tcp  --  anywhere             192.168.3.0/24      tcp spt:https dpts:1024:65535 state RELATED,ESTABLISHED 
    56   ACCEPT     tcp  --  192.168.3.0/24       anywhere            tcp spts:1024:65535 dpt:https state NEW,RELATED,ESTABLISHED 
    57   ACCEPT     tcp  --  anywhere             192.168.3.0/24      tcp spt:http dpts:1024:65535 state RELATED,ESTABLISHED 
    58   ACCEPT     tcp  --  192.168.3.0/24       anywhere            tcp spts:1024:65535 dpt:http state NEW,RELATED,ESTABLISHED 
    59   ACCEPT     udp  --  212.27.40.240        192.168.2.24        udp spt:domain dpts:1024:65535 
    60   ACCEPT     udp  --  192.168.2.24         212.27.40.240       udp spts:1024:65535 dpt:domain 
    61   ACCEPT     tcp  --  212.27.40.240        192.168.2.24        tcp spt:domain dpts:1024:65535 state RELATED,ESTABLISHED 
    62   ACCEPT     tcp  --  192.168.2.24         212.27.40.240       tcp spts:1024:65535 dpt:domain state NEW,RELATED,ESTABLISHED 
    63   ACCEPT     udp  --  212.27.40.240        192.168.3.0/24      udp spt:domain dpts:1024:65535 
    64   ACCEPT     udp  --  192.168.3.0/24       212.27.40.240       udp spts:1024:65535 dpt:domain 
    65   ACCEPT     tcp  --  212.27.40.240        192.168.3.0/24      tcp spt:domain dpts:1024:65535 state RELATED,ESTABLISHED 
    66   ACCEPT     tcp  --  192.168.3.0/24       212.27.40.240       tcp spts:1024:65535 dpt:domain state NEW,RELATED,ESTABLISHED 
    67   ACCEPT     udp  --  212.27.40.240        192.168.2.24        udp spt:domain dpts:1024:65535 
    68   ACCEPT     udp  --  192.168.2.24         212.27.40.240       udp spts:1024:65535 dpt:domain 
    69   ACCEPT     tcp  --  212.27.40.240        192.168.2.24        tcp spt:domain dpts:1024:65535 state RELATED,ESTABLISHED 
    70   ACCEPT     tcp  --  192.168.2.24         212.27.40.240       tcp spts:1024:65535 dpt:domain state NEW,RELATED,ESTABLISHED 
    71   ACCEPT     udp  --  212.27.40.240        192.168.3.0/24      udp spt:domain dpts:1024:65535 
    72   ACCEPT     udp  --  192.168.3.0/24       212.27.40.240       udp spts:1024:65535 dpt:domain 
    73   ACCEPT     tcp  --  212.27.40.240        192.168.3.0/24      tcp spt:domain dpts:1024:65535 state RELATED,ESTABLISHED 
    74   ACCEPT     tcp  --  192.168.3.0/24       212.27.40.240       tcp spts:1024:65535 dpt:domain state NEW,RELATED,ESTABLISHED 
    75   ACCEPT     udp  --  192.168.2.21         192.168.3.0/24      udp spt:domain dpts:1024:65535 
    76   ACCEPT     udp  --  192.168.3.0/24       192.168.2.21        udp spts:1024:65535 dpt:domain 
    77   ACCEPT     tcp  --  192.168.2.21         192.168.3.0/24      tcp spt:domain dpts:1024:65535 state RELATED,ESTABLISHED 
    78   ACCEPT     tcp  --  192.168.3.0/24       192.168.2.21        tcp spts:1024:65535 dpt:domain state NEW,RELATED,ESTABLISHED 
    79   ACCEPT     udp  --  192.168.2.21         192.168.158.0/24    udp dpts:1024:65535 
    80   ACCEPT     udp  --  192.168.158.0/24     192.168.2.21        udp spts:1024:65535 
    81   ACCEPT     tcp  --  192.168.2.21         192.168.158.0/24    tcp dpts:1024:65535 state RELATED,ESTABLISHED 
    82   ACCEPT     tcp  --  192.168.158.0/24     192.168.2.21        tcp spts:1024:65535 state NEW,RELATED,ESTABLISHED 
    83   ACCEPT     udp  --  192.168.2.21         192.168.3.0/24      udp dpts:1024:65535 
    84   ACCEPT     udp  --  192.168.3.0/24       192.168.2.21        udp spts:1024:65535 
    85   ACCEPT     tcp  --  192.168.2.21         192.168.3.0/24      tcp dpts:1024:65535 state RELATED,ESTABLISHED 
    86   ACCEPT     tcp  --  192.168.3.0/24       192.168.2.21        tcp spts:1024:65535 state NEW,RELATED,ESTABLISHED 
    87   ACCEPT     udp  --  194.57.169.1         192.168.2.24        udp spt:ntp dpts:1024:65535 
    88   ACCEPT     udp  --  192.168.2.24         194.57.169.1        udp spts:1024:65535 dpt:ntp 
    89   ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
    90   ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED 
    91   DROP       all  --  0.0.0.0/8            anywhere            
    92   DROP       all  --  1.0.0.0/8            anywhere            
    93   DROP       all  --  2.0.0.0/8            anywhere            
    94   DROP       all  --  3.0.0.0/8            anywhere            
    95   DROP       all  --  4.0.0.0/8            anywhere            
    96   DROP       all  --  5.0.0.0/8            anywhere            
    97   DROP       all  --  7.0.0.0/8            anywhere            
    98   DROP       all  --  10.0.0.0/8           anywhere            
    99   DROP       all  --  14.0.0.0/8           anywhere            
    100  DROP       all  --  23.0.0.0/8           anywhere            
    101  DROP       all  --  27.0.0.0/8           anywhere            
    102  DROP       all  --  31.0.0.0/8           anywhere            
    103  DROP       all  --  36.0.0.0/8           anywhere            
    104  DROP       all  --  37.0.0.0/8           anywhere            
    105  DROP       all  --  39.0.0.0/8           anywhere            
    106  DROP       all  --  41.0.0.0/8           anywhere            
    107  DROP       all  --  42.0.0.0/8           anywhere            
    108  DROP       all  --  58.0.0.0/8           anywhere            
    109  DROP       all  --  59.0.0.0/8           anywhere            
    110  DROP       all  --  60.0.0.0/8           anywhere            
    111  DROP       all  --  70.0.0.0/8           anywhere            
    112  DROP       all  --  71.0.0.0/8           anywhere            
    113  DROP       all  --  72.0.0.0/8           anywhere            
    114  DROP       all  --  73.0.0.0/8           anywhere            
    115  DROP       all  --  74.0.0.0/8           anywhere            
    116  DROP       all  --  75.0.0.0/8           anywhere            
    117  DROP       all  --  76.0.0.0/8           anywhere            
    118  DROP       all  --  77.0.0.0/8           anywhere            
    119  DROP       all  --  78.0.0.0/8           anywhere            
    120  DROP       all  --  79.0.0.0/8           anywhere            
    121  DROP       all  --  83.0.0.0/8           anywhere            
    122  DROP       all  --  84.0.0.0/8           anywhere            
    123  DROP       all  --  85.0.0.0/8           anywhere            
    124  DROP       all  --  86.0.0.0/8           anywhere            
    125  DROP       all  --  87.0.0.0/8           anywhere            
    126  DROP       all  --  88.0.0.0/8           anywhere            
    127  DROP       all  --  89.0.0.0/8           anywhere            
    128  DROP       all  --  90.0.0.0/8           anywhere            
    129  DROP       all  --  91.0.0.0/8           anywhere            
    130  DROP       all  --  92.0.0.0/8           anywhere            
    131  DROP       all  --  93.0.0.0/8           anywhere            
    132  DROP       all  --  94.0.0.0/8           anywhere            
    133  DROP       all  --  95.0.0.0/8           anywhere            
    134  DROP       all  --  96.0.0.0/8           anywhere            
    135  DROP       all  --  97.0.0.0/8           anywhere            
    136  DROP       all  --  98.0.0.0/8           anywhere            
    137  DROP       all  --  99.0.0.0/8           anywhere            
    138  DROP       all  --  100.0.0.0/8          anywhere            
    139  DROP       all  --  101.0.0.0/8          anywhere            
    140  DROP       all  --  102.0.0.0/8          anywhere            
    141  DROP       all  --  103.0.0.0/8          anywhere            
    142  DROP       all  --  104.0.0.0/8          anywhere            
    143  DROP       all  --  105.0.0.0/8          anywhere            
    144  DROP       all  --  106.0.0.0/8          anywhere            
    145  DROP       all  --  107.0.0.0/8          anywhere            
    146  DROP       all  --  108.0.0.0/8          anywhere            
    147  DROP       all  --  109.0.0.0/8          anywhere            
    148  DROP       all  --  110.0.0.0/8          anywhere            
    149  DROP       all  --  111.0.0.0/8          anywhere            
    150  DROP       all  --  112.0.0.0/8          anywhere            
    151  DROP       all  --  113.0.0.0/8          anywhere            
    152  DROP       all  --  114.0.0.0/8          anywhere            
    153  DROP       all  --  115.0.0.0/8          anywhere            
    154  DROP       all  --  116.0.0.0/8          anywhere            
    155  DROP       all  --  117.0.0.0/8          anywhere            
    156  DROP       all  --  118.0.0.0/8          anywhere            
    157  DROP       all  --  119.0.0.0/8          anywhere            
    158  DROP       all  --  120.0.0.0/8          anywhere            
    159  DROP       all  --  121.0.0.0/8          anywhere            
    160  DROP       all  --  122.0.0.0/8          anywhere            
    161  DROP       all  --  123.0.0.0/8          anywhere            
    162  DROP       all  --  124.0.0.0/8          anywhere            
    163  DROP       all  --  125.0.0.0/8          anywhere            
    164  DROP       all  --  126.0.0.0/8          anywhere            
    165  DROP       all  --  169.254.0.0/16       anywhere            
    166  DROP       all  --  172.16.0.0/12        anywhere            
    167  DROP       all  --  173.0.0.0/8          anywhere            
    168  DROP       all  --  174.0.0.0/8          anywhere            
    169  DROP       all  --  175.0.0.0/8          anywhere            
    170  DROP       all  --  176.0.0.0/8          anywhere            
    171  DROP       all  --  177.0.0.0/8          anywhere            
    172  DROP       all  --  178.0.0.0/8          anywhere            
    173  DROP       all  --  179.0.0.0/8          anywhere            
    174  DROP       all  --  180.0.0.0/8          anywhere            
    175  DROP       all  --  181.0.0.0/8          anywhere            
    176  DROP       all  --  182.0.0.0/8          anywhere            
    177  DROP       all  --  183.0.0.0/8          anywhere            
    178  DROP       all  --  184.0.0.0/8          anywhere            
    179  DROP       all  --  185.0.0.0/8          anywhere            
    180  DROP       all  --  186.0.0.0/8          anywhere            
    181  DROP       all  --  187.0.0.0/8          anywhere            
    182  DROP       all  --  189.0.0.0/8          anywhere            
    183  DROP       all  --  190.0.0.0/8          anywhere            
    184  DROP       all  --  197.0.0.0/8          anywhere            
    185  DROP       all  --  222.0.0.0/8          anywhere            
    186  DROP       all  --  223.0.0.0/8          anywhere            
    187  DROP       all  --  224.0.0.0/8          anywhere            
    188  DROP       all  --  225.0.0.0/8          anywhere            
    189  DROP       all  --  226.0.0.0/8          anywhere            
    190  DROP       all  --  227.0.0.0/8          anywhere            
    191  DROP       all  --  228.0.0.0/8          anywhere            
    192  DROP       all  --  229.0.0.0/8          anywhere            
    193  DROP       all  --  230.0.0.0/8          anywhere            
    194  DROP       all  --  231.0.0.0/8          anywhere            
    195  DROP       all  --  232.0.0.0/8          anywhere            
    196  DROP       all  --  233.0.0.0/8          anywhere            
    197  DROP       all  --  234.0.0.0/8          anywhere            
    198  DROP       all  --  235.0.0.0/8          anywhere            
    199  DROP       all  --  236.0.0.0/8          anywhere            
    200  DROP       all  --  237.0.0.0/8          anywhere            
    201  DROP       all  --  238.0.0.0/8          anywhere            
    202  DROP       all  --  239.0.0.0/8          anywhere            
    203  DROP       all  --  240.0.0.0/8          anywhere            
    204  DROP       all  --  241.0.0.0/8          anywhere            
    205  DROP       all  --  242.0.0.0/8          anywhere            
    206  DROP       all  --  243.0.0.0/8          anywhere            
    207  DROP       all  --  244.0.0.0/8          anywhere            
    208  DROP       all  --  245.0.0.0/8          anywhere            
    209  DROP       all  --  246.0.0.0/8          anywhere            
    210  DROP       all  --  247.0.0.0/8          anywhere            
    211  DROP       all  --  248.0.0.0/8          anywhere            
    212  DROP       all  --  249.0.0.0/8          anywhere            
    213  DROP       all  --  250.0.0.0/8          anywhere            
    214  DROP       all  --  251.0.0.0/8          anywhere            
    215  DROP       all  --  252.0.0.0/8          anywhere            
    216  DROP       all  --  253.0.0.0/8          anywhere            
    217  DROP       all  --  254.0.0.0/8          anywhere            
    218  DROP       all  --  255.0.0.0/8          anywhere            
    219  DROP       all  --  anywhere             anywhere            state INVALID 
    220  ACCEPT     tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 5/sec burst 5 
    221  ACCEPT     udp  --  anywhere             anywhere            limit: avg 5/sec burst 5 
    222  ACCEPT     icmp --  192.168.3.10         anywhere            icmp echo-request 
    223  ACCEPT     icmp --  anywhere             192.168.3.10        icmp echo-reply 
    224  ACCEPT     icmp --  192.168.3.11         anywhere            icmp echo-request 
    225  ACCEPT     icmp --  anywhere             192.168.3.11        icmp echo-reply 
    226  ACCEPT     icmp --  192.168.3.12         anywhere            icmp echo-request 
    227  ACCEPT     icmp --  anywhere             192.168.3.12        icmp echo-reply 
    228  ACCEPT     icmp --  192.168.2.240        anywhere            icmp echo-request 
    229  ACCEPT     icmp --  anywhere             192.168.2.240       icmp echo-reply 
    230  ACCEPT     icmp --  192.168.3.0/24       192.168.2.21        
    231  ACCEPT     icmp --  192.168.2.21         192.168.3.0/24      
    232  ACCEPT     tcp  --  192.168.2.22         192.168.3.210       tcp spts:1024:65535 dpt:jetdirect state NEW,RELATED,ESTABLISHED 
    233  ACCEPT     tcp  --  192.168.2.22         192.168.3.211       tcp spts:1024:65535 dpt:jetdirect state NEW,RELATED,ESTABLISHED 
    234  ACCEPT     tcp  --  192.168.2.22         192.168.3.212       tcp spts:1024:65535 dpt:jetdirect state NEW,RELATED,ESTABLISHED 
    235  ACCEPT     tcp  --  192.168.2.22         192.168.158.205     tcp spts:1024:65535 dpt:jetdirect state NEW,RELATED,ESTABLISHED 
    236  ACCEPT     tcp  --  192.168.2.22         109.0.34.213        tcp spts:1024:65535 dpt:ssh state NEW,RELATED,ESTABLISHED 
    237  ACCEPT     tcp  --  109.0.34.213         192.168.2.22        tcp spt:ssh dpts:1024:65535 state RELATED,ESTABLISHED 
    238  ACCEPT     tcp  --  192.168.3.0/24       192.168.2.22        tcp spts:1024:65535 dpt:rmiregistry state NEW,RELATED,ESTABLISHED 
    239  ACCEPT     tcp  --  192.168.2.22         192.168.3.0/24      tcp spt:rmiregistry dpts:1024:65535 state RELATED,ESTABLISHED 
    240  ACCEPT     udp  --  192.168.3.0/24       192.168.2.22        udp spts:1024:65535 dpt:rmiregistry 
    241  ACCEPT     udp  --  192.168.2.22         192.168.3.0/24      udp spt:rmiregistry dpts:1024:65535 
    242  ACCEPT     tcp  --  192.168.2.22         anywhere            tcp spts:1024:65535 dpt:smtp state NEW,RELATED,ESTABLISHED 
    243  ACCEPT     tcp  --  anywhere             192.168.2.22        tcp spt:smtp dpts:1024:65535 state RELATED,ESTABLISHED 
    244  ACCEPT     tcp  --  192.168.3.0/24       192.168.2.24        tcp spts:1024:65535 dpt:8530 state NEW,RELATED,ESTABLISHED 
    245  ACCEPT     tcp  --  192.168.2.24         192.168.3.0/24      tcp spt:8530 dpts:1024:65535 state RELATED,ESTABLISHED 
    246  ACCEPT     tcp  --  192.168.3.0/24       192.168.2.24        tcp spts:1024:65535 dpt:isakmp state NEW,RELATED,ESTABLISHED 
    247  ACCEPT     tcp  --  192.168.2.24         192.168.3.0/24      tcp spt:isakmp dpts:1024:65535 state RELATED,ESTABLISHED 
    248  ACCEPT     tcp  --  192.168.3.0/24       192.168.2.24        tcp spts:1024:65535 dpt:jetdirect state NEW,RELATED,ESTABLISHED 
    249  ACCEPT     tcp  --  192.168.3.0/24       192.168.2.24        tcp spts:1024:65535 dpt:61616 state NEW,RELATED,ESTABLISHED 
    250  ACCEPT     tcp  --  192.168.2.24         192.168.3.0/24      tcp spt:61616 dpts:1024:65535 state RELATED,ESTABLISHED 
    251  ACCEPT     udp  --  192.168.3.0/24       192.168.2.24        udp spts:1024:65535 dpt:61616 
    252  ACCEPT     udp  --  192.168.2.24         192.168.3.0/24      udp spt:61616 dpts:1024:65535 
    253  ACCEPT     tcp  --  192.168.3.10         192.168.2.25        tcp spts:1024:65535 dpt:ddm-rdb state NEW,RELATED,ESTABLISHED 
    254  ACCEPT     tcp  --  192.168.2.25         192.168.3.10        tcp spt:ddm-rdb dpts:1024:65535 state RELATED,ESTABLISHED 
    255  ACCEPT     tcp  --  192.168.3.11         192.168.2.25        tcp spts:1024:65535 dpt:ddm-rdb state NEW,RELATED,ESTABLISHED 
    256  ACCEPT     tcp  --  192.168.2.25         192.168.3.11        tcp spt:ddm-rdb dpts:1024:65535 state RELATED,ESTABLISHED 
    257  ACCEPT     tcp  --  192.168.3.12         192.168.2.25        tcp spts:1024:65535 dpt:ddm-rdb state NEW,RELATED,ESTABLISHED 
    258  ACCEPT     tcp  --  192.168.2.25         192.168.3.12        tcp spt:ddm-rdb dpts:1024:65535 state RELATED,ESTABLISHED 
    259  ACCEPT     tcp  --  192.168.2.240        192.168.2.25        tcp spts:1024:65535 dpt:ddm-rdb state NEW,RELATED,ESTABLISHED 
    260  ACCEPT     tcp  --  192.168.2.25         192.168.2.240       tcp spt:ddm-rdb dpts:1024:65535 state RELATED,ESTABLISHED 
    261  ACCEPT     tcp  --  192.168.3.0/24       192.168.2.27        tcp spts:1024:65535 state NEW,RELATED,ESTABLISHED 
    262  ACCEPT     tcp  --  192.168.2.27         192.168.3.0/24      tcp dpts:1024:65535 state RELATED,ESTABLISHED 
    263  ACCEPT     udp  --  192.168.3.0/24       192.168.2.27        udp spts:1024:65535 
    264  ACCEPT     udp  --  192.168.2.27         192.168.3.0/24      udp dpts:1024:65535 
    
    Chain OUTPUT (policy DROP)
    num  target     prot opt source               destination         
    1    ACCEPT     tcp  --  192.168.2.1          192.168.2.240       tcp spt:324 dpts:1024:65535 state RELATED,ESTABLISHED 
    2    ACCEPT     tcp  --  192.168.2.1          192.168.3.12        tcp spt:324 dpts:1024:65535 state RELATED,ESTABLISHED 
    3    ACCEPT     tcp  --  192.168.2.1          192.168.3.11        tcp spt:324 dpts:1024:65535 state RELATED,ESTABLISHED 
    4    ACCEPT     tcp  --  192.168.2.1          192.168.3.10        tcp spt:324 dpts:1024:65535 state RELATED,ESTABLISHED 
    5    ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED 
    6    ACCEPT     icmp --  anywhere             192.168.2.240       icmp echo-reply 
    7    ACCEPT     icmp --  anywhere             192.168.3.12        icmp echo-reply 
    8    ACCEPT     icmp --  anywhere             192.168.3.11        icmp echo-reply 
    9    ACCEPT     icmp --  anywhere             192.168.3.10        icmp echo-reply 
    10   ACCEPT     all  --  anywhere             anywhere            
    11   DROP       all  --  anywhere             anywhere            state INVALID 
    12   ACCEPT     udp  --  anywhere             212.27.40.240       udp spts:1024:65535 dpt:domain 
    13   ACCEPT     tcp  --  anywhere             212.27.40.240       tcp spts:1024:65535 dpt:domain state NEW,RELATED,ESTABLISHED 
    14   ACCEPT     udp  --  anywhere             212.27.40.240       udp spts:1024:65535 dpt:domain 
    15   ACCEPT     tcp  --  anywhere             212.27.40.240       tcp spts:1024:65535 dpt:domain state NEW,RELATED,ESTABLISHED 
    16   ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:65535 dpt:http state NEW,RELATED,ESTABLISHED 
    
    Chain syn-flood (1 references)
    num  target     prot opt source               destination         
    1    ACCEPT     all  --  anywhere             anywhere            limit: avg 5/sec burst 4 
    2    DROP       all  --  anywhere             anywhere
    These are the results of my script, it can be more easier to read the resultat that to devin it!

    I make a scan with nmap on one of my server and I see thaht many port are open...

    What's wrong in my script? Order? Rules?

  6. #6
    Just Joined!
    Join Date
    Aug 2010
    Posts
    22
    The second problem was solve.
    I think the problem come from my allowing current connection.I modify to settings:

    Code:
    #Autorised current connection
    iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -I OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -I FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    But for my internet connection I don't know if the problem is resolve...
    I think not.

    I would like more information to put my rule in the better order as possible.
    Cause client which didn't have a ADMIN IP can connect in SSH on my server but not in my firewall which use INPUT/OUTPUT rules and not FOWARD for the clients...

    How I can do this?
    And for syn-flood attack have you an idea?

    Sincerely

  7. #7
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Why to much to read with tags all through it. Scripts are nice for setting up the firewall but you should let IPTABLES save and load the save file. That is just my opinion.

    Here is what you have;

    Server LAN
    Client LAN
    INTERNET
    FIREWALL

    You ned to ask what you want each to be allowed do.

    My self I don't allow any connections to the firewall

    I would not allow the servers to do anything except DL updates. They are normally the first to get compromissed and attack your network.

    Next question is what do you not want the clients to do or do you only want to allow them to do some things?

    Is the internet going to have access to the servers?

    I never lock down by IP Address unless I have to. I prefer to use ports to do my locking down.

    If you would like that I look at your rules then run 'iptables-save' and post the output for the file. Much easier to read.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  8. #8
    Just Joined!
    Join Date
    Aug 2010
    Posts
    22
    Thanks Lazydog.

    My script is loaded by /etc/rc.d/rc.local service at system startup.
    And I know what I want! Want to be sure that my script do that I write!
    And I want that my rule about syn-flood works fine to avoid my "attack" on my router!

    It's real that give internet access for the firewall is not the better settings...

    Only one server server is allow to access on port 53 80 443 to download all updates needed in my LAN.

    I don't want the client can try ssh connection anywhere.

    I add a file with the iptable-save results.

    Thanks for your help
    Attached Files Attached Files

  9. #9
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    OK, the SYN rules look fine. Why are you listing every address and dropping it?

    Code:
     -A INPUT -s 0.0.0.0/255.0.0.0 -i eth0 -j DROP
     -A INPUT -s 1.0.0.0/255.0.0.0 -i eth0 -j DROP
     -A INPUT -s 2.0.0.0/255.0.0.0 -i eth0 -j DROP
     -A INPUT -s 3.0.0.0/255.0.0.0 -i eth0 -j DROP
    [....]
     -A INPUT -s 252.0.0.0/255.0.0.0 -i eth0 -j DROP
     -A INPUT -s 253.0.0.0/255.0.0.0 -i eth0 -j DROP
     -A INPUT -s 254.0.0.0/255.0.0.0 -i eth0 -j DROP
     -A INPUT -s 255.0.0.0/255.0.0.0 -i eth0 -j DROP
    This is an over kill, not needed and will slow down the firewall as it has to read and apply each of them. You do this again on the FORWARD chain also and again it shouldn't be like this. The Policy will drop these packets and it you want to feel safer then add a DROP rule at the end of every chain. I do this out of habit.

    Your thousands of ESTABLISHED,RELATED rules are also not needed. You only need one per chain, as the first rule, that covers everything.

    I think you are looking at the firewall in the wrong way. Default you should drop everything and then only allow through what is needed/wanted. Looking at your rules you are trying to control every thing with individual rules and it just makes reading/following your rules a nightmare.

    For example you are dropping everything long before they reach the SYN rules so these rules are useless as no packets will every reach them. And if you follow the block rules I have listed for Internet INPUT side you don't have to worry about SYN flags as all packets are dropped anyway.

    Your rules should be interface specific. In other words you should never allow any connection to your firewall from the outside so the following rules should be used;

    Code:
    -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A INPUT -i eth0 -j DROP
    This allows the connection that the firewall starts, i.e., NTP, to be allowed to return the requested information.

    Here is an example of rules that are bloated and don't need to be.
    I'm going to assume that 192.168.2.1 is the firewall since these are INPUT rules.

    These rules...
    Code:
    -A INPUT -s 192.168.2.240 -d 192.168.2.1 -p tcp -m tcp --sport 1024:65535 --dport 324 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -s 192.168.3.12 -d 192.168.2.1 -p tcp -m tcp --sport 1024:65535 --dport 324 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -s 192.168.3.11 -d 192.168.2.1 -p tcp -m tcp --sport 1024:65535 --dport 324 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -s 192.168.3.10 -d 192.168.2.1 -p tcp -m tcp --sport 1024:65535 --dport 324 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    Could be changed to this....
    Code:
    -A INPUT -s 192.168.2.240 -p tcp -m tcp --dport 324 -m state --state NEW -j ACCEPT
    -A INPUT -s 192.168.3.12 -p tcp -m tcp --dport 324 -m state --state NEW -j ACCEPT
    -A INPUT -s 192.168.3.11 -p tcp -m tcp --dport 324 -m state --state NEW -j ACCEPT
    -A INPUT -s 192.168.3.10 -p tcp -m tcp --dport 324 -m state --state NEW -j ACCEPT
    The ESTABLISHED,RELATED part is handled by the INPUT rule you already have listed for this. This is all you really need. The same applies to your other bloated rules.

    You should really read up on firewalls and rule setup. Packets that are passing through the system will never touch the INPUT rules and packets that stop at the firewall will never touch FORWARD rules.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  10. #10
    Just Joined!
    Join Date
    Aug 2010
    Posts
    22
    Thanks Lazydog!

    For the first, I see that on a script made by a professional knowledge.
    It says that we never be contacted by these network which are reserved.
    But in the results of the iptables-save command we see that some of this rules was blocked: (by the counters)

    Code:
    [27:1080] -A INPUT -s 72.0.0.0/255.0.0.0 -i eth0 -j DROP
    For the ESTABLISHED,RELATED, i must have these settings at the end of my rule to allow the server to send the accepted request of my client.
    Or I can do otherwise?
    I understand what you change here:

    Code:
    -A INPUT -s 192.168.2.240 -p tcp -m tcp --dport 324 -m state --state NEW -j ACCEPT
    -A INPUT -s 192.168.3.12 -p tcp -m tcp --dport 324 -m state --state NEW -j ACCEPT
    -A INPUT -s 192.168.3.11 -p tcp -m tcp --dport 324 -m state --state NEW -j ACCEPT
    -A INPUT -s 192.168.3.10 -p tcp -m tcp --dport 324 -m state --state NEW -j ACCEPT
    I find this better too!
    But can I remove the ESTABLISHED,RELATED setting to all of my rule, even in FORWARD field? (for tcp request only)

    I think you are looking at the firewall in the wrong way. Default you should drop everything and then only allow through what is needed/wanted. Looking at your rules you are trying to control every thing with individual rules and it just makes reading/following your rules a nightmare.
    I don't know the difference... The objective of the firewall is to allow only what we need. And it's what I do. I think!
    I can't make rule which seem like this: (not safe I find!)
    Code:
    iptables -I FORWARD -p tcp -s $LAN_CLT -d $LAN_SRV -j ACCEPT
    iptables -I FORWARD -p tcp -s $LAN_SRV -d $LAN_CLT - -j ACCEPT
    iptables -I FORWARD -p udp -s $LAN_CLT -d $LAN_SRV -j ACCEPT
    iptables -I FORWARD -p udp -s $LAN_SRV -d $LAN_CLT -j ACCEPT
    Maybe you think that I need to make less rules?
    But how? I can't open every port on my servers. So I have to made rules by services...

    I'm not a specialist in firewall! If you have some better way to show me in the configuration of iptables script I'm ok!

    Thanks for your help.

    Do you have an idea why my router down with Syn-flood attack from LAN?

    Thanks again!

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •