* MAC addres and iptables
@ 2004-02-29 13:45 Sasa Stupar
2004-02-29 13:55 ` Antony Stone
0 siblings, 1 reply; 17+ messages in thread
From: Sasa Stupar @ 2004-02-29 13:45 UTC (permalink / raw)
To: Netfilter-List
Hi!
I have a working router for my network. Is it possible to allow access
to the router by defining a MAC address with iptables?
So basically I need to allow only some users to access internet and not
all. So I want to allow access only to users with certain MAC address
and deny all others.
Is this possible with iptables and how?
Thank you in advance,
Sasa
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: MAC addres and iptables
2004-02-29 13:45 MAC addres and iptables Sasa Stupar
@ 2004-02-29 13:55 ` Antony Stone
2004-02-29 14:06 ` Sasa Stupar
0 siblings, 1 reply; 17+ messages in thread
From: Antony Stone @ 2004-02-29 13:55 UTC (permalink / raw)
To: Netfilter-List
On Sunday 29 February 2004 1:45 pm, Sasa Stupar wrote:
> Hi!
>
> I have a working router for my network. Is it possible to allow access
> to the router by defining a MAC address with iptables?
> So basically I need to allow only some users to access internet and not
> all. So I want to allow access only to users with certain MAC address
> and deny all others.
>
> Is this possible with iptables and how?
Try something like:
iptables -A INPUT -s a.b.c.d -m mac --mac aa:bb:cc:dd:ee:ff -j ACCEPT
Where a.b.c.d is the IP address and aa:bb:cc:dd:ee:ff is the MAC address of
the machine you want to allow access to the firewall system.
You need to have compiled mac address matching into your kernel, or loaded the
appropriate module.
See "man iptables" for more info.
Regards,
Antony.
--
The words "e pluribus unum" on the Great Seal of the United States are from a
poem by Virgil entitled "Moretum", which is about cheese and garlic salad
dressing.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: MAC addres and iptables
2004-02-29 13:55 ` Antony Stone
@ 2004-02-29 14:06 ` Sasa Stupar
2004-02-29 14:14 ` MAC address " Antony Stone
2004-02-29 14:38 ` MAC addres " Sasa Stupar
0 siblings, 2 replies; 17+ messages in thread
From: Sasa Stupar @ 2004-02-29 14:06 UTC (permalink / raw)
To: Netfilter-List
Antony Stone pravi:
>On Sunday 29 February 2004 1:45 pm, Sasa Stupar wrote:
>
>
>
>>Hi!
>>
>>I have a working router for my network. Is it possible to allow access
>>to the router by defining a MAC address with iptables?
>>So basically I need to allow only some users to access internet and not
>>all. So I want to allow access only to users with certain MAC address
>>and deny all others.
>>
>>Is this possible with iptables and how?
>>
>>
>
>Try something like:
>
>iptables -A INPUT -s a.b.c.d -m mac --mac aa:bb:cc:dd:ee:ff -j ACCEPT
>
>Where a.b.c.d is the IP address and aa:bb:cc:dd:ee:ff is the MAC address of
>the machine you want to allow access to the firewall system.
>
>You need to have compiled mac address matching into your kernel, or loaded the
>appropriate module.
>
>See "man iptables" for more info.
>
>Regards,
>
>Antony.
>
>
>
Thanx for the answer. Since I am new to linux and iptables: how do I
know if mac address matching is compiled or not in the kernel and what
is the responsible module?
BTW, I am running on RH8 with iptables 1.2.9.
Regards,
Sasa
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: MAC address and iptables
2004-02-29 14:06 ` Sasa Stupar
@ 2004-02-29 14:14 ` Antony Stone
2004-02-29 14:38 ` MAC addres " Sasa Stupar
1 sibling, 0 replies; 17+ messages in thread
From: Antony Stone @ 2004-02-29 14:14 UTC (permalink / raw)
To: Netfilter-List
On Sunday 29 February 2004 2:06 pm, Sasa Stupar wrote:
> Antony Stone pravi:
> >
> >Try something like:
> >
> >iptables -A INPUT -s a.b.c.d -m mac --mac aa:bb:cc:dd:ee:ff -j ACCEPT
> Thanx for the answer. Since I am new to linux and iptables: how do I
> know if mac address matching is compiled or not in the kernel
Try the above command and see whether it is accepted. If it is, you have the
required support compiled in or loaded as a module. If it isn't, you'll get
an error such as "iptables: No chain/target/match by that name".
> and what is the responsible module?
Sorry, I can't answer that for certain because I don't use modules, however I
would guess it's called "mac". Perhaps someone else can confirm/correct
this.
Regards,
Antony.
--
The first fifty percent of an engineering project takes ninety percent of the
time, and the remaining fifty percent takes another ninety percent of the
time.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: MAC addres and iptables
2004-02-29 14:06 ` Sasa Stupar
2004-02-29 14:14 ` MAC address " Antony Stone
@ 2004-02-29 14:38 ` Sasa Stupar
2004-02-29 15:12 ` MAC address " Antony Stone
1 sibling, 1 reply; 17+ messages in thread
From: Sasa Stupar @ 2004-02-29 14:38 UTC (permalink / raw)
To: Netfilter-List
Sasa Stupar pravi:
> Antony Stone pravi:
>
>> On Sunday 29 February 2004 1:45 pm, Sasa Stupar wrote:
>>
>>
>>
>>> Hi!
>>>
>>> I have a working router for my network. Is it possible to allow access
>>> to the router by defining a MAC address with iptables?
>>> So basically I need to allow only some users to access internet and not
>>> all. So I want to allow access only to users with certain MAC address
>>> and deny all others.
>>>
>>> Is this possible with iptables and how?
>>>
>>
>>
>> Try something like:
>>
>> iptables -A INPUT -s a.b.c.d -m mac --mac aa:bb:cc:dd:ee:ff -j ACCEPT
>>
>> Where a.b.c.d is the IP address and aa:bb:cc:dd:ee:ff is the MAC
>> address of the machine you want to allow access to the firewall system.
>>
>> You need to have compiled mac address matching into your kernel, or
>> loaded the appropriate module.
>>
>> See "man iptables" for more info.
>>
>> Regards,
>>
>> Antony.
>>
>>
>>
>
> Thanx for the answer. Since I am new to linux and iptables: how do I
> know if mac address matching is compiled or not in the kernel and what
> is the responsible module?
> BTW, I am running on RH8 with iptables 1.2.9.
>
> Regards,
> Sasa
>
>
I have done this command and it doesn't work. I have changed the rule to:
iptables -A INPUT -s ! a.b.c.d -m ! mac --mac aa:bb:cc:dd:ee:ff -j DROP
then it works BUT as soon as I add another ip and mac address then I am
blocked out.
What am I doing wrong here?
Regards,
Sasa
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: MAC address and iptables
2004-02-29 14:38 ` MAC addres " Sasa Stupar
@ 2004-02-29 15:12 ` Antony Stone
2004-02-29 15:40 ` Sasa Stupar
0 siblings, 1 reply; 17+ messages in thread
From: Antony Stone @ 2004-02-29 15:12 UTC (permalink / raw)
To: Netfilter-List
On Sunday 29 February 2004 2:38 pm, Sasa Stupar wrote:
> Sasa Stupar pravi:
> > Antony Stone pravi:
> >>
> >> Try something like:
> >>
> >> iptables -A INPUT -s a.b.c.d -m mac --mac aa:bb:cc:dd:ee:ff -j ACCEPT
> >>
> >> Where a.b.c.d is the IP address and aa:bb:cc:dd:ee:ff is the MAC
> >> address of the machine you want to allow access to the firewall system.
> >>
> >> See "man iptables" for more info.
> I have done this command and it doesn't work.
When you say "it doesn't work", do you mean netfilter gives you an error,
saying there is a problem with the command you entered, or netfilter accepts
the command, but it doesn't happen to do what you want it to do?
> I have changed the rule to:
>
> iptables -A INPUT -s ! a.b.c.d -m ! mac --mac aa:bb:cc:dd:ee:ff -j DROP
>
> then it works
This sounds worryingly like you have a default ACCEPT policy on your INPUT
table.
> BUT as soon as I add another ip and mac address then I am
> blocked out.
>
> What am I doing wrong here?
Tell us the rest of your ruleset - it sounds like you are accepting everything
on INPUT, except packets which you're blocking, when you should be doing it
the other way round.
Regards,
Antony.
--
Anyone that's normal doesn't really achieve much.
- Mark Blair, Australian rocket engineer
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: MAC address and iptables
2004-02-29 15:12 ` MAC address " Antony Stone
@ 2004-02-29 15:40 ` Sasa Stupar
2004-02-29 15:55 ` Antony Stone
0 siblings, 1 reply; 17+ messages in thread
From: Sasa Stupar @ 2004-02-29 15:40 UTC (permalink / raw)
To: Netfilter-List
The thing is that it worked but it was not I have expected. Her is my
ruleset:
-----------------
# Generated by webmin
*filter
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:INPUT DROP [0:0]
# Loopback
-A OUTPUT -o lo -j ACCEPT
# Allow self access by loopback interface
-A INPUT -i lo -j ACCEPT
# Master
-A INPUT -m mac -s a.b.c.d --mac aa:bb:cc:dd:ee:ff -j ACCEPT
# Accept established connections
-A INPUT -m state -i eth0 --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-option 2 -j REJECT --reject-with tcp-reset
# FTP
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
# Telnet
-A INPUT -p tcp -m tcp --dport 23 -j ACCEPT
# SMTP
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
# NTP
-A INPUT -p tcp -m tcp --dport 37 -j ACCEPT
# DNS
-A INPUT -p udp -m udp -s a.b.c.d -d 0/0 --sport 53 -j ACCEPT
# HTTP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT --syn
# POP3
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
# Samba
-A INPUT -p udp -m udp --dport 137 -j ACCEPT
# Samba
-A INPUT -p udp -m udp --dport 138 -j ACCEPT
# Samba
-A INPUT -p tcp -m tcp --dport 139 -j ACCEPT --syn
# HTTPS
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# SMTP-SSL
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
# POP3-SSL
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
# Squid Proxy
-A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
# UPS
-A INPUT -p tcp -m tcp --dport 3493 -j ACCEPT
# Xmail CtrlClnt
-A INPUT -p tcp -m tcp --dport 6017 -j ACCEPT
# XQM agent
-A INPUT -p tcp -m tcp --dport 8888 -j ACCEPT
# Webmin
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
# Drop all other connection attempts
-A INPUT -j DROP
COMMIT
# Generated by webmin
*mangle
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
COMMIT
# Completed
----------------------
Regards,
Sasa
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: MAC address and iptables
2004-02-29 15:40 ` Sasa Stupar
@ 2004-02-29 15:55 ` Antony Stone
2004-02-29 16:02 ` Sasa Stupar
0 siblings, 1 reply; 17+ messages in thread
From: Antony Stone @ 2004-02-29 15:55 UTC (permalink / raw)
To: Netfilter-List
On Sunday 29 February 2004 3:40 pm, Sasa Stupar wrote:
> The thing is that it worked but it was not I have expected. Her is my
> ruleset:
> -----------------
> # Generated by webmin
> *filter
>
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :INPUT DROP [0:0]
So, you have a default DROP policy on INPUT - good.
> # Loopback
> -A OUTPUT -o lo -j ACCEPT
> # Allow self access by loopback interface
> -A INPUT -i lo -j ACCEPT
> # Master
> -A INPUT -m mac -s a.b.c.d --mac aa:bb:cc:dd:ee:ff -j ACCEPT
That rule will accept all connections from one IP address with the correct MAC
address.
> # Accept established connections
> -A INPUT -m state -i eth0 --state ESTABLISHED,RELATED -j ACCEPT
That will allow reply packets to all your outbound connections.
> -A INPUT -p tcp -m tcp ! --tcp-option 2 -j REJECT --reject-with tcp-reset
Reject any TCP packets not already matched, which don't have TCP option 2 set.
> # FTP
> -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
Accept FTP connections (from anywhere)
> # Telnet
> -A INPUT -p tcp -m tcp --dport 23 -j ACCEPT
Accept telnet (yuk) connections from anywhere
> # SMTP
> -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
Accept smtp connections from anywhere......
I have skipped the rest of your rules, which look pretty similar to the last
three above, but for different services. They all look sensible to me.
So, what is the problem you are experiencing? What is happening which you
don't want, or what is not happening which you do want?
Regards,
Antony.
--
What makes you think I know what I'm talking about?
I just have more O'Reilly books than most people.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: MAC address and iptables
2004-02-29 15:55 ` Antony Stone
@ 2004-02-29 16:02 ` Sasa Stupar
2004-02-29 16:14 ` David Cannings
2004-02-29 16:16 ` Antony Stone
0 siblings, 2 replies; 17+ messages in thread
From: Sasa Stupar @ 2004-02-29 16:02 UTC (permalink / raw)
To: Netfilter-List
What I want is to accept connections only from those listed in the rules
and drop others. But with the current config it accepts connectins also
from others which are not in the rules.
Sasa
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: MAC address and iptables
2004-02-29 16:02 ` Sasa Stupar
@ 2004-02-29 16:14 ` David Cannings
2004-02-29 16:16 ` Antony Stone
1 sibling, 0 replies; 17+ messages in thread
From: David Cannings @ 2004-02-29 16:14 UTC (permalink / raw)
To: netfilter
On Sunday 29 February 2004 16:02, Sasa Stupar wrote:
> What I want is to accept connections only from those listed in the
> rules and drop others. But with the current config it accepts
> connectins also from others which are not in the rules.
Connections to what? Your rules, such as the one below, allow connections
from anywhere.
> # FTP
> -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
David
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: MAC address and iptables
2004-02-29 16:02 ` Sasa Stupar
2004-02-29 16:14 ` David Cannings
@ 2004-02-29 16:16 ` Antony Stone
2004-02-29 18:10 ` Sasa Stupar
1 sibling, 1 reply; 17+ messages in thread
From: Antony Stone @ 2004-02-29 16:16 UTC (permalink / raw)
To: Netfilter-List
On Sunday 29 February 2004 4:02 pm, Sasa Stupar wrote:
> What I want is to accept connections only from those listed in the rules
> and drop others. But with the current config it accepts connectins also
> from others which are not in the rules.
In that case, either:
a) add the -s a.b.c.d -m mac --mac aa:bb:cc:dd:ee:ff to each rule which you
only want to match a specific machine
or
b) put all your rules into a user-defined chain, and then jump to that chain
only for packets which match the required IP/MAC combination:
iptables -N myrules
iptables -A myrules -p tcp --dport 21 -j ACCEPT
iptables -A myrules -p tcp --dport 23 -j ACCEPT
etc
iptables -A INPUT -s a.b.c.d -m mac --mac aa:bb:cc:dd:ee:ff -j myrules
With this design you can also easily allow more than one machine to connect if
you wish, by adding another INPUT rule:
iptables -A INPUT -s w.x.y.z -m mac --mac uu:vv:ww:xx:yy:zz -j myrules
Regards,
Antony.
--
Programming is a Dark Art, and it will always be. The programmer is
fighting against the two most destructive forces in the universe:
entropy and human stupidity. They're not things you can always
overcome with a "methodology" or on a schedule.
- Damian Conway, Perl God
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: MAC address and iptables
2004-02-29 16:16 ` Antony Stone
@ 2004-02-29 18:10 ` Sasa Stupar
2004-02-29 21:44 ` Sasa Stupar
0 siblings, 1 reply; 17+ messages in thread
From: Sasa Stupar @ 2004-02-29 18:10 UTC (permalink / raw)
To: Netfilter-List
[-- Attachment #1: Type: text/plain, Size: 750 bytes --]
I have tried and it worked. I have done it like a new chain my rules.
OK, but this was for internal server. Now I want to implement the same
on the router. I have entered the modification and when I start it I get
error "iptables: invalid argument" and nothing else. After that I can't
access the web anymore but I can access internal server.
I really don't know what is wrong. I have attached my firewall script.
I have changed following things after the working configuration:
- added chain from line 123 to line 139
- changed rule from "ACCEPT" to "myrules" from line 503 to line 506
- changed rule from "ACCEPT" to "myrules" from line 515 to line 520
- changed rule from "ACCEPT" to "myrules" on lines 792 and 797
Thank you in advance,
Sasa
[-- Attachment #2: firewall.sh --]
[-- Type: text/plain, Size: 30439 bytes --]
#!/bin/sh
# Generated by Firestarter 0.9.2, NETFILTER in use
# --------( Initial Setup - Variables (required) )--------
# Type of Service (TOS) parameters
# 8: Maximum Throughput - Minimum Delay
# 4: Minimize Delay - Maximize Reliability
# 16: No Delay - Moderate Throughput - High Reliability
TOSOPT=8
# Default Packet Rejection Type
# ( do NOT change this here - set it in the GUI instead )
STOP=DENY
# --------( Initial Setup - Firewall Location Check )--------
IPT=/sbin/iptables
IFC=/sbin/ifconfig
MPB=/sbin/modprobe
LSM=/sbin/lsmod
RMM=/sbin/rmmod
# --------( Initial Setup - Network Information (required) )--------
IF=eth0
INIF=eth1
INIF2=eth2
IP=`$IFC $IF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
MASK=`$IFC $IF | grep Mas | cut -d : -f 4`
NET=$IP/$MASK
INMASK="user specified in INNET"
INNET=192.168.10.0/24
INNET2=192.168.1.0/24
if [ "$MASK" = "" ]; then
echo "External network device $IF is not ready. Aborting.."
exit 2
fi
if [ "$INMASK" = "" ]; then
echo "Internal network device $INIF is not ready. Aborting.."
exit 3
fi
# --------( Initial Setup - Firewall Modules Check )--------
# Some distributions still load ipchains
$LSM | grep ipchains -q -s && $RMM ipchains
# --------( Initial Setup - Firewall Modules Autoloader )--------
if ! ( $LSM | /bin/grep ip_conntrack > /dev/null ); then
$MPB ip_conntrack
fi
if ! ( $LSM | /bin/grep ip_conntrack_ftp > /dev/null ); then
$MPB ip_conntrack_ftp
fi
if ! ( $LSM | /bin/grep ip_conntrack_irc > /dev/null ); then
$MPB ip_conntrack_irc
fi
if ! ( $LSM | /bin/grep ipt_REJECT > /dev/null ); then
$MPB ipt_REJECT
fi
if ! ( $LSM | /bin/grep ipt_REDIRECT > /dev/null ); then
$MPB ipt_REDIRECT
fi
if ! ( $LSM | /bin/grep ipt_TOS > /dev/null ); then
$MPB ipt_TOS
fi
if ! ( $LSM | /bin/grep ipt_MASQUERADE > /dev/null ); then
$MPB ipt_MASQUERADE
fi
if ! ( $LSM | /bin/grep ipt_LOG > /dev/null ); then
$MPB ipt_LOG
fi
if ! ( $LSM | /bin/grep iptable_mangle > /dev/null ); then
$MPB iptable_mangle
fi
if ! ( $LSM | /bin/grep iptable_nat > /dev/null ); then
$MPB iptable_nat
fi
# --------( Chain Configuration - Flush Existing Chains )--------
# Delete user made chains. Flush and zero the chains.
$IPT -F
$IPT -X
$IPT -Z
# Remove Firestarter lock
if [ -e /var/lock/subsys ]; then
rm -f /var/lock/subsys/firestarter
else
rm -f /var/lock/firestarter
fi
# --------( Chain Configuration - Delete Extinct Chains )--------
# Delete `nat' and `mangle' chains.
if ( $LSM | /bin/grep iptable_mangle > /dev/null ); then
$IPT -t mangle -F
fi
if ( $LSM | /bin/grep iptable_nat > /dev/null ); then
$IPT -t nat -F
fi
# --------( Chain Configuration - Create Default Result Chains )--------
# Create a new log and drop (LD) convenience chain.
$IPT -N LD 2> /dev/null
$IPT -F LD
$IPT -A LD -j LOG
$IPT -A LD -j DROP
STOP=LD
# --------( Use of router for us only )---------
#Our chain
$IPT -N myrules
# Master
$IPT -A myrules -m mac -s 192.168.10.1 --mac 00:0C:6E:F1:F3:48 -j ACCEPT
# Routers outgoing connection 1 - eth1 - LAN
$IPT -A myrules -m mac -s 192.168.10.111 --mac 00:50:BF:7A:5E:E5 -j ACCEPT
# Router's outgoing connection 2 - eth2 - LAN
$IPT -A myrules -m mac -s 192.168.1.111 --mac 00:40:F4:60:D0:39 -j ACCEPT
# Mig29
$IPT -A myrules -m mac -s 192.168.10.10 --mac 00:C0:26:28:8E:59 -j ACCEPT
# Router's incoming connection - eth0 - Internet
$IPT -A myrules -m mac -s 194.249.51.74 --mac 00:30:4F:24:58:01 -j ACCEPT
# Nathalie
$IPT -A myrules -m mac -s 192.168.10.30 --mac 00:E0:18:88:53:F0 -j ACCEPT
# Deny all others
$IPT -A myrules -j DROP
# --------( Chain Configuration - Create Default Traffic Chains )--------
# Create a new 'unclean module check' (UNCLEAN) convenience chain.
$IPT -N UNCLEAN 2> /dev/null
$IPT -F UNCLEAN
$IPT -A UNCLEAN -j $STOP
# Create a new 'stateful module check' (STATE) convenience chain.
$IPT -N STATE 2> /dev/null
$IPT -F STATE
$IPT -I STATE -m state --state NEW -i ! lo -j $STOP
$IPT -A STATE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A STATE -j $STOP
# Create a new 'sanity (check, mark and fwd) check' (SANITY) convenience chain.
$IPT -N SANITY 2> /dev/null
$IPT -F SANITY
$IPT -A SANITY -j $STOP
# --------( Chain Configuration - Set Default Chain Policy )--------
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
# --------( Initial Setup - Nameservers )--------
# Allow responses from the nameservers
while read s1 s2 s3
do
if [ "$s1" = "nameserver" ] ; then
$IPT -A INPUT -p tcp ! --syn -s $s2 -d 0/0 -j ACCEPT
$IPT -A INPUT -p udp -s $s2 -d 0/0 -j ACCEPT
fi
done < /etc/resolv.conf
# --------( Initial Setup - External Lists )--------
# Trusted hosts
while read host
do
$IPT -A INPUT -s $host -d 0/0 -j ACCEPT
done < /etc/firestarter/trusted-hosts
# Blocked hosts
while read host
do
$IPT -A INPUT -s $host -d 0/0 -j DROP
done < /etc/firestarter/blocked-hosts
# Forwarded ports
while read port int_host int_port
do
$IPT -A FORWARD -p tcp -d $int_host --dport $int_port -j ACCEPT
$IPT -A FORWARD -p udp -d $int_host --dport $int_port -j ACCEPT
$IPT -A PREROUTING -t nat -p tcp -d $NET --dport $port -j DNAT --to $int_host:$int_port
$IPT -A PREROUTING -t nat -p udp -d $NET --dport $port -j DNAT --to $int_host:$int_port
done < /etc/firestarter/forward
# NAT onto same network
$IPT -t nat -A POSTROUTING -d 192.168.10.10 -s 192.168.10.0/24 -p tcp --dport 21 -j SNAT --to 192.168.10.111
$IPT -t nat -A POSTROUTING -d 192.168.10.10 -s 192.168.10.0/24 -p tcp --dport 25 -j SNAT --to 192.168.10.111
$IPT -t nat -A POSTROUTING -d 192.168.10.10 -s 192.168.10.0/24 -p tcp --dport 80 -j SNAT --to 192.168.10.111
$IPT -t nat -A POSTROUTING -d 192.168.10.10 -s 192.168.10.0/24 -p tcp --dport 110 -j SNAT --to 192.168.10.111
$IPT -t nat -A POSTROUTING -d 192.168.10.10 -s 192.168.10.0/24 -p tcp --dport 443 -j SNAT --to 192.168.10.111
$IPT -t nat -A POSTROUTING -d 192.168.10.10 -s 192.168.10.0/24 -p tcp --dport 465 -j SNAT --to 192.168.10.111
$IPT -t nat -A POSTROUTING -d 192.168.10.10 -s 192.168.10.0/24 -p tcp --dport 995 -j SNAT --to 192.168.10.111
# Open ports
while read port
do
$IPT -A INPUT -p tcp -s 0/0 -d $NET --dport $port -j ACCEPT
$IPT -A INPUT -p udp -s 0/0 -d $NET --dport $port -j ACCEPT
done < /etc/firestarter/open-ports
# Stealthed ports (Ports open to specific hosts)
while read port host
do
$IPT -A INPUT -p tcp -s $host -d $NET --dport $port -j ACCEPT
$IPT -A INPUT -p udp -s $host -d $NET --dport $port -j ACCEPT
done < /etc/firestarter/stealthed-ports
# Blocked ports (explicit, no logging)
while read port
do
$IPT -A INPUT -p tcp -s 0/0 -d 0/0 --dport $port -j DROP
$IPT -A INPUT -p udp -s 0/0 -d 0/0 --dport $port -j DROP
done < /etc/firestarter/blocked-ports
# --------( Chain Configuration Finalize - Set Default Chain Policy )--------
$IPT -P OUTPUT DROP
# --------( Sysctl Tuning - Recommended Parameters )--------
# Turn off IP forwarding by default
# (this will be enabled if you require masquerading)
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
echo 0 > /proc/sys/net/ipv4/ip_forward
fi
# Log 'odd' IP addresses (excludes 0.0.0.0 & 255.255.255.255)
if [ -e /proc/sys/net/ipv4/conf/all/log_martians ]; then
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
fi
# --------( Sysctl Tuning - TCP Parameters )--------
# Turn off TCP Timestamping in kernel
if [ -e /proc/sys/net/ipv4/tcp_timestamps ]; then
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
fi
# Set TCP Re-Ordering value in kernel to '5'
if [ -e /proc/sys/net/ipv4/tcp_reordering ]; then
echo 5 > /proc/sys/net/ipv4/tcp_reordering
fi
# Turn off TCP ACK in kernel
if [ -e /proc/sys/net/ipv4/tcp_sack ]; then
echo 0 > /proc/sys/net/ipv4/tcp_sack
fi
#Turn off TCP Window Scaling in kernel
if [ -e /proc/sys/net/ipv4/tcp_window_scaling ]; then
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
fi
#Set Keepalive timeout to 30 seconds
if [ -e /proc/sys/net/ipv4/tcp_keepalive_time ]; then
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
fi
#Set FIN timeout to 30 seconds
if [ -e /proc/sys/net/ipv4/tcp_fin_timeout ]; then
echo 1800 > /proc/sys/net/ipv4/tcp_fin_timeout
fi
# Set TCP retry count to 3
if [ -e /proc/sys/net/ipv4/tcp_retries1 ]; then
echo 3 > /proc/sys/net/ipv4/tcp_retries1
fi
#Turn off ECN notification in kernel
if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then
echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi
# --------( Sysctl Tuning - SYN Parameters )--------
# Turn on SYN cookies protection in kernel
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
# Set SYN ACK retry attempts to '3'
if [ -e /proc/sys/net/ipv4/tcp_synack_retries ]; then
echo 3 > /proc/sys/net/ipv4/tcp_synack_retries
fi
# Set SYN backlog buffer to '64'
if [ -e /proc/sys/net/ipv4/tcp_max_syn_backlog ]; then
echo 64 > /proc/sys/net/ipv4/tcp_max_syn_backlog
fi
# Set SYN retry attempts to '6'
if [ -e /proc/sys/net/ipv4/tcp_syn_retries ]; then
echo 6 > /proc/sys/net/ipv4/tcp_syn_retries
fi
# --------( Sysctl Tuning - Routing / Redirection Parameters )--------
# Turn on source address verification in kernel
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for f in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $f
done
fi
# Turn off source routes in kernel
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
for f in /proc/sys/net/ipv4/conf/*/accept_source_route
do
echo 0 > $f
done
fi
# Do not respond to 'redirected' packets
if [ -e /proc/sys/net/ipv4/secure_redirects ]; then
echo 0 > /proc/sys/net/ipv4/secure_redirects
fi
# Do not reply to 'redirected' packets if requested
if [ -e /proc/sys/net/ipv4/send_redirects ]; then
echo 0 > /proc/sys/net/ipv4/send_redirects
fi
# Do not reply to 'proxyarp' packets
if [ -e /proc/sys/net/ipv4/proxy_arp ]; then
echo 0 > /proc/sys/net/ipv4/proxy_arp
fi
# Set FIB model to be RFC1812 Compliant
# (certain policy based routers may break with this - if you find
# that you can't access certain hosts on your network - please set
# this option to '0' - which is the default)
if [ -e /proc/sys/net/ipv4/ip_fib_model ]; then
echo 2 > /proc/sys/net/ipv4/ip_fib_model
fi
# --------( Sysctl Tuning - ICMP/IGMP Parameters )--------
# ICMP Dead Error Messages protection
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
fi
# ICMP Broadcasting protection
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi
# IGMP Membership 'overflow' protection
# (if you are planning on running your box as a router - you should either
# set this option to a number greater than 5, or disable this protection
# altogether by commenting out this option)
if [ -e /proc/sys/net/ipv4/igmp_max_memberships ]; then
echo 1 > /proc/sys/net/ipv4/igmp_max_memberships
fi
# --------( Sysctl Tuning - Miscellanous Parameters )--------
# Set TTL to '64' hops
# (If you are running a masqueraded network, or use policy-based
# routing - you may want to increase this value depending on the load
# on your link.)
if [ -e /proc/sys/net/ipv4/conf/all/ip_default_ttl ]; then
for f in /proc/sys/net/ipv4/conf/*/ip_default_ttl
do
echo 64 > $f
done
fi
# Always defragment incoming packets
# (Some cable modems [ Optus @home ] will suffer intermittent connection
# droputs with this setting. If you experience problems, set this to '0')
if [ -e /proc/sys/net/ipv4/ip_always_defrag ]; then
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
fi
# Keep packet fragments in memory for 8 seconds
# (Note - this option has no affect if you turn packet defragmentation
# (above) off!)
if [ -e /proc/sys/net/ipv4/ipfrag_time ]; then
echo 8 > /proc/sys/net/ipv4/ipfrag_time
fi
# Do not reply to Address Mask Notification Warnings
# (If you are using your machine as a DMZ router or a PPP dialin server
# that relies on proxy_arp requests to provide addresses to it's clients
# you may wish to disable this option by setting the value to '1'
if [ -e /proc/sys/net/ipv4/ip_addrmask_agent ]; then
echo 0 > /proc/sys/net/ipv4/ip_addrmask_agent
fi
# Turn off dynamic TCP/IP address hacking
# (Some broken PPPoE clients have issues when this is disabled
# If you experience problems with DSL or Cable providers, set this to '1')
if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then
echo 0 > /proc/sys/net/ipv4/ip_dynaddr
fi
# --------( Sysctl Tuning - IPTables Specific Parameters )--------
# Doubling current limit for ip_conntrack
if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]; then
echo 16384 > /proc/sys/net/ipv4/ip_conntrack_max
fi
# --------( Rules Configuration - Specific Rule - Loopback Interfaces )--------
# Allow all traffic on the loopback interface
$IPT -t filter -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPT -t filter -A OUTPUT -o lo -s 0/0 -d 0/0 -j ACCEPT
# --------( Rules Configuration - ICMP - Ruleset Filtered by GUI )--------
# ICMP: Ping Requests
$IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type echo-request -j $STOP
# ICMP: Traceroute Requests
$IPT -t filter -A INPUT -p udp -s 0/0 -d $NET --dport 33434 -j $STOP
# ICMP: MS Traceroute Requests
$IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type destination-unreachable -j $STOP
# ICMP: Unreachable Requests
$IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type host-unreachable -j $STOP
# ICMP: Timestamping Requests
$IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type timestamp-request -j $STOP
$IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type timestamp-reply -j $STOP
# ICMP: Address Masking
$IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type address-mask-request -j $STOP
$IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type address-mask-reply -j $STOP
# ICMP: Redirection Requests
$IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type redirect -j $STOP
# ICMP: Source Quench Requests
$IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type source-quench -j $STOP
# --------( Rules Configuration - Masquerading )--------
# --------( Rules Configuration - Masquerading - Firewall Modules Autoloader )--------
if ! ( $LSM | /bin/grep ip_nat_ftp > /dev/null ); then
$MPB ip_nat_ftp
fi
if ! ( $LSM | /bin/grep ip_nat_irc > /dev/null ); then
$MPB ip_nat_irc
fi
# --------( Rules Configuration - Masquerading - Sysctl Modifications )--------
#Turn on IP forwarding
if [ -e /proc/sys/net/ipv4/ip_forward ]
then
echo 1 > /proc/sys/net/ipv4/ip_forward
fi
# --------( Rules Configuration - Masquerading - Default Policy )--------
#Setting forward (masquerading) policy to DENY
$IPT -t filter -P FORWARD DROP
# --------( Rules Configuration - Masquerading - Default Ruleset )--------
#TCPMSS Fix - Needed for *many* broken PPPO{A/E} clients
$IPT -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# --------( Rules Configuration - Forwarded Traffic - Block Traffic w/ Incorrect Flags )--------
$IPT -t filter -I FORWARD -m unclean -j UNCLEAN
# --------( Rules Configuration - Forwarded Traffic - Block Traffic w/ Invalid Flags )--------
$IPT -t filter -A INPUT -m state --state INVALID -j $STOP
# --------( Rules Configuration - Forwarded Traffic - Block Traffic w/ Excessive Fragmented Packets )--------
$IPT -t filter -A INPUT -f -m limit --limit 10/minute -j $STOP
#Forward Int/Ext & Ext/Int Traffic before Masquerading
$IPT -t filter -A FORWARD -d 0/0 -s $INNET -o $IF -j myrules
$IPT -t filter -A FORWARD -d $INNET -j myrules
$IPT -t filter -A FORWARD -d 0/0 -s $INNET2 -o $IF -j myrules
$IPT -t filter -A FORWARD -d $INNET2 -j myrules
#Masquerade outgoing traffic
$IPT -t nat -A POSTROUTING -o $IF -j MASQUERADE
#Don't masq external interface traffic
$IPT -t nat -A POSTROUTING -s $NET -d 0/0 -j ACCEPT
#Allow traffic from internal network going anywhere
$IPT -t filter -A INPUT -s $INNET -d 0/0 -j myrules
$IPT -t filter -A INPUT -s $INNET2 -d 0/0 -j myrules
$IPT -t filter -A OUTPUT -s $INNET -d 0/0 -j myrules
$IPT -t filter -A OUTPUT -s $INNET2 -d 0/0 -j myrules
$IPT -t filter -A OUTPUT -p icmp -s $INNET -d 0/0 -j myrules
$IPT -t filter -A OUTPUT -p icmp -s $INNET2 -d 0/0 -j myrules
# --------( Rules Configuration - Inbound Traffic - Block Traffic w/ Incorrect Flags )--------
$IPT -t filter -I INPUT -i $IF -m unclean -j UNCLEAN
# --------( Rules Configuration - Inbound Traffic - Block nonroutable IP Addresses )--------
#Block nonroutable IPs, netblock list v2.0 2003-04-08
$IPT -t filter -A INPUT -s 0.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 1.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 2.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 5.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 7.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 10.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 23.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 27.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 31.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 36.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 37.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 39.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 41.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 42.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 49.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 50.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 58.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 59.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 70.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 71.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 72.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 73.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 74.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 75.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 76.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 77.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 78.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 79.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 83.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 84.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 85.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 86.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 87.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 88.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 89.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 90.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 91.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 92.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 93.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 94.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 95.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 96.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 97.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 98.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 99.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 100.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 101.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 102.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 103.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 104.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 105.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 106.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 107.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 108.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 109.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 110.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 111.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 112.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 113.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 114.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 115.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 116.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 117.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 118.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 119.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 120.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 121.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 122.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 123.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 124.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 125.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 126.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 127.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 169.254.0.0/16 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 172.16.0.0/12 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 173.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 174.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 175.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 176.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 177.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 178.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 179.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 180.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 181.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 182.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 183.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 184.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 185.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 186.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 187.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 189.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 190.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 192.0.2.0/24 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 192.168.0.0/16 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 197.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 198.18.0.0/15 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 223.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 224.0.0.0/3 -d $NET -i $IF -j $STOP
# --------( Rules Configuration - Inbound Traffic - Block known Trojan Ports )--------
#Block Back Orifice
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 31337 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A INPUT -p udp -s 0/0 -d $NET --dport 31337 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 31337 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p udp -s $NET -d 0/0 --dport 31337 -m limit --limit 2/minute -j $STOP
#Block Trinity v3
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 33270 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A INPUT -p udp -s 0/0 -d $NET --dport 33270 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 33270 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p udp -s $NET -d 0/0 --dport 33270 -m limit --limit 2/minute -j $STOP
#Block Subseven (1.7/1.9)
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 1234 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 6711 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 1234 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 6711 -m limit --limit 2/minute -j $STOP
#Block Stacheldraht
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 16660 --syn -m limit --limit 2/minute -j $STOP
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 60001 --syn -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 16660 --syn -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 60001 --syn -m limit --limit 2/minute -j $STOP
#Block NetBus
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 12345:12346 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A INPUT -p udp -s 0/0 -d $NET --dport 12345:12346 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 12345:12346 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p udp -s $NET -d 0/0 --dport 12345:12346 -m limit --limit 2/minute -j $STOP
#Block MS-RPC (dce)
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 135 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A INPUT -p udp -s 0/0 -d $NET --dport 135 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 135 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p udp -s $NET -d 0/0 --dport 135 -m limit --limit 2/minute -j $STOP
#Block Trin00
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 1524 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 27665 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A INPUT -p udp -s 0/0 -d $NET --dport 27444 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A INPUT -p udp -s 0/0 -d $NET --dport 31335 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 1524 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 27665 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p udp -s $NET -d 0/0 --dport 27444 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p udp -s $NET -d 0/0 --dport 31335 -m limit --limit 2/minute -j $STOP
# --------( Rules Configuration - Inbound Traffic - Block Multicast Traffic )--------
# (some cable/DSL providers require their clients to accept multicast transmissions
# you should remove the following four rules if you are affected by multicasting
$IPT -t filter -A INPUT -s 224.0.0.0/8 -d 0/0 -j $STOP
$IPT -t filter -A INPUT -s 0/0 -d 224.0.0.0/8 -j $STOP
$IPT -t filter -A OUTPUT -s 224.0.0.0/8 -d 0/0 -j $STOP
$IPT -t filter -A OUTPUT -s 0/0 -d 224.0.0.0/8 -j $STOP
# --------( Rules Configuration - Inbound Traffic - Block Traffic w/ Stuffed Routing )--------
# (early versions of PUMP - (the DHCP client application included in RH / Mandrake) require
# inbound packets to be accepted from a source address of 255.255.255.255. If you have issues
# with DHCP clients on your local LAN - either update PUMP, or remove the first rule below)
$IPT -t filter -A INPUT -s 255.255.255.255 -j $STOP
$IPT -t filter -A INPUT -d 0.0.0.0 -j $STOP
$IPT -t filter -A OUTPUT -s 255.255.255.255 -j $STOP
$IPT -t filter -A OUTPUT -d 0.0.0.0 -j $STOP
# --------( Rules Configuration - Inbound Traffic - Block Broadcast )--------
$IPT -t filter -A INPUT -i $IF -s 10.0.0.255 -j DROP
$IPT -t filter -A INPUT -i $IF -s 0.0.0.0 -j DROP
$IPT -t filter -A INPUT -i $IF -d 255.255.255.255 -j DROP
$IPT -t filter -A INPUT -i $IF -d 0.0.0.0 -j DROP
# --------( Rules Configuration - Inbound Traffic - Block Traffic w/ Invalid Flags )--------
$IPT -t filter -A INPUT -m state --state INVALID -j $STOP
# --------( Rules Configuration - Inbound Traffic - Block Traffic w/ Excessive Fragmented Packets )--------
$IPT -t filter -A INPUT -f -m limit --limit 10/minute -j $STOP
# --------( Rules Configuration - Inbound Traffic - Ruleset Filtered by GUI )--------
#FTP
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 20 ! --syn -j ACCEPT
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 21 -j ACCEPT
#SMTP
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 25 -j ACCEPT
#SSL-SMTP
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 465 -j ACCEPT
#DNS
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 53 -j ACCEPT
$IPT -t filter -A INPUT -p udp -s 0/0 -d $NET --dport 53 -j ACCEPT
#HTTP
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 80 -j ACCEPT
#SSL HTTP
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 443 -j ACCEPT
#IMAP
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 143 -j ACCEPT
#POP
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 110 -j ACCEPT
#SSL-POP
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 995 -j ACCEPT
# --------( Rules Configuration - Inbound Traffic - Highport Connection Fixes )--------
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j $STOP
#FTP Data fix
$IPT -A INPUT -p tcp --sport 20 --dport 1023:65535 ! --syn -m state --state RELATED -j ACCEPT
# --------( Rules Configuration - Inbound Traffic - Highport Connections )--------
$IPT -A INPUT -p tcp -s 0/0 -d $NET --dport 1024:65535 -j STATE
$IPT -A INPUT -p udp -s 0/0 -d $NET --dport 1023:65535 -j ACCEPT
# --------( Rules Configuration - Outbound Traffic - Highport Connection Fixes )--------
$IPT -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
# --------( Rules Configuration - Outbound Traffic - TTL Mangling )--------
$IPT -A OUTPUT -m ttl --ttl 64
# --------( Rules Configuration - Outbound Traffic - Block Traffic w/ Incorrect Flags )--------
$IPT -t filter -I OUTPUT -o $IF -m unclean -j UNCLEAN
# --------( Rules Configuration - Outbound Traffic - Default Ruleset )--------
$IPT -A OUTPUT -p icmp -s $NET -d 0/0 -o $IF -j ACCEPT
$IPT -A OUTPUT -j ACCEPT
# --------( Transparent proxy rules )----------
# Za doma
$IPT -t nat -A PREROUTING -i $INIF -s ! 192.168.10.10 -p tcp --dport 80 -j DNAT --to 192.168.10.10:3128
$IPT -t nat -A POSTROUTING -o $INIF -s $INNET -d 192.168.10.10 -j SNAT --to 192.168.10.111
$IPT -A FORWARD -s $INNET -d 192.168.10.10 -i $INIF -o $INIF -p tcp --dport 3128 -j myrules
# Za sosede
$IPT -t nat -A PREROUTING -i $INIF2 -s ! 192.168.10.10 -p tcp --dport 80 -j DNAT --to 192.168.10.10:3128
$IPT -t nat -A POSTROUTING -o $INIF2 -s $INNET2 -d 192.168.10.10 -j SNAT --to 192.168.1.111
$IPT -A FORWARD -s $INNET2 -d 192.168.10.10 -i $INIF2 -o $INIF2 -p tcp --dport 3128 -j myrules
# --------( Catch all Rules (required) )--------
# Deny everything not let through earlier
$IPT -A INPUT -j $STOP
# Create Firestarter lock file
if [ -e /var/lock/subsys ]; then
touch /var/lock/subsys/firestarter
else
touch /var/lock/firestarter
fi
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: MAC address and iptables
2004-02-29 18:10 ` Sasa Stupar
@ 2004-02-29 21:44 ` Sasa Stupar
2004-02-29 22:03 ` Antony Stone
0 siblings, 1 reply; 17+ messages in thread
From: Sasa Stupar @ 2004-02-29 21:44 UTC (permalink / raw)
To: Netfilter-List
Anyone could help me with this ??
Sasa
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: MAC address and iptables
2004-02-29 21:44 ` Sasa Stupar
@ 2004-02-29 22:03 ` Antony Stone
2004-03-01 6:27 ` Sasa Stupar
2004-03-01 6:42 ` Sasa Stupar
0 siblings, 2 replies; 17+ messages in thread
From: Antony Stone @ 2004-02-29 22:03 UTC (permalink / raw)
To: Netfilter-List
On Sunday 29 February 2004 9:44 pm, Sasa Stupar wrote:
> Anyone could help me with this ??
If you can post your ruleset in a format we can understand ("iptables -L -nvx;
iptables -L -t nat -nvx" is good), keep the ruleset to the smallest possible
number which shows the problem you have, and explain what you changed when
the problem started, we may be able to help.
If you expect people to read through an 800-line script file containing lots
of rules which have nothing to do with the problem you are asking about, then
you must either give enough time for people to read it and understand it, or
else you are expecting too much.
I will happily help you solve your problem if you will help me understand it.
Someone else here may be prepared to put in the time and effort to read your
previous posting; we shall have to wait and see.
Regards,
Antony.
--
Success is a lousy teacher. It seduces smart people into thinking they can't
lose.
- William H Gates III
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: MAC address and iptables
2004-02-29 22:03 ` Antony Stone
@ 2004-03-01 6:27 ` Sasa Stupar
2004-03-01 6:42 ` Sasa Stupar
1 sibling, 0 replies; 17+ messages in thread
From: Sasa Stupar @ 2004-03-01 6:27 UTC (permalink / raw)
To: Netfilter-List
[-- Attachment #1: Type: text/plain, Size: 764 bytes --]
> If you can post your ruleset in a format we can understand
("iptables -L -nvx;
> iptables -L -t nat -nvx" is good), keep the ruleset to the smallest possible
> number which shows the problem you have, and explain what you changed when
> the problem started, we may be able to help.
OK, I have done ruleset in the format you have advised and they are
attached. I have made two pair: on before (working config) and one after
the change. I have named it as follows:
- for command "iptables -L -nvx" they are called iptables-before and
iptables-after
- for command "iptables -L -t nat -nvx" they are called
iptables-nat-before and iptables-nat-after
I hope that it is now more readable. Sorry, but I am new to this.
Thank you again for helping me,
Sasa
[-- Attachment #2: iptables-nat-before --]
[-- Type: text/plain, Size: 3771 bytes --]
Chain PREROUTING (policy ACCEPT 195701 packets, 58695023 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:21 to:192.168.10.10:21
0 0 DNAT udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpt:21 to:192.168.10.10:21
0 0 DNAT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:25 to:192.168.10.10:25
0 0 DNAT udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpt:25 to:192.168.10.10:25
0 0 DNAT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:80 to:192.168.10.10:80
0 0 DNAT udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpt:80 to:192.168.10.10:80
0 0 DNAT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:110 to:192.168.10.10:110
0 0 DNAT udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpt:110 to:192.168.10.10:110
0 0 DNAT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:443 to:192.168.10.10:443
0 0 DNAT udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpt:443 to:192.168.10.10:443
0 0 DNAT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:465 to:192.168.10.10:465
0 0 DNAT udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpt:465 to:192.168.10.10:465
0 0 DNAT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:995 to:192.168.10.10:995
0 0 DNAT udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpt:995 to:192.168.10.10:995
1 48 DNAT tcp -- eth1 * !192.168.10.10 0.0.0.0/0 tcp dpt:80 to:192.168.10.10:3128
0 0 DNAT tcp -- eth2 * !192.168.10.10 0.0.0.0/0 tcp dpt:80 to:192.168.10.10:3128
Chain POSTROUTING (policy ACCEPT 7354 packets, 377864 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT tcp -- * * 192.168.10.0/24 192.168.10.10 tcp dpt:21 to:192.168.10.111
0 0 SNAT tcp -- * * 192.168.10.0/24 192.168.10.10 tcp dpt:25 to:192.168.10.111
0 0 SNAT tcp -- * * 192.168.10.0/24 192.168.10.10 tcp dpt:80 to:192.168.10.111
0 0 SNAT tcp -- * * 192.168.10.0/24 192.168.10.10 tcp dpt:110 to:192.168.10.111
0 0 SNAT tcp -- * * 192.168.10.0/24 192.168.10.10 tcp dpt:443 to:192.168.10.111
0 0 SNAT tcp -- * * 192.168.10.0/24 192.168.10.10 tcp dpt:465 to:192.168.10.111
0 0 SNAT tcp -- * * 192.168.10.0/24 192.168.10.10 tcp dpt:995 to:192.168.10.111
8 471 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 194.249.51.64/26 0.0.0.0/0
1 48 SNAT all -- * eth1 192.168.10.0/24 192.168.10.10 to:192.168.10.111
0 0 SNAT all -- * eth2 192.168.1.0/24 192.168.10.10 to:192.168.1.111
Chain OUTPUT (policy ACCEPT 8235 packets, 626936 bytes)
pkts bytes target prot opt in out source destination
[-- Attachment #3: iptables-after --]
[-- Type: text/plain, Size: 24068 bytes --]
Chain INPUT (policy DROP 6 packets, 360 bytes)
pkts bytes target prot opt in out source destination
0 0 UNCLEAN all -- eth0 * 0.0.0.0/0 0.0.0.0/0 unclean
0 0 ACCEPT tcp -- * * 127.0.0.1 0.0.0.0/0 tcp flags:!0x16/0x02
0 0 ACCEPT udp -- * * 127.0.0.1 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 LD icmp -- * * 0.0.0.0/0 194.249.51.64/26 icmp type 8
0 0 LD udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpt:33434
0 0 LD icmp -- * * 0.0.0.0/0 194.249.51.64/26 icmp type 3
0 0 LD icmp -- * * 0.0.0.0/0 194.249.51.64/26 icmp type 3 code 1
0 0 LD icmp -- * * 0.0.0.0/0 194.249.51.64/26 icmp type 13
0 0 LD icmp -- * * 0.0.0.0/0 194.249.51.64/26 icmp type 14
0 0 LD icmp -- * * 0.0.0.0/0 194.249.51.64/26 icmp type 17
0 0 LD icmp -- * * 0.0.0.0/0 194.249.51.64/26 icmp type 18
0 0 LD icmp -- * * 0.0.0.0/0 194.249.51.64/26 icmp type 5
0 0 LD icmp -- * * 0.0.0.0/0 194.249.51.64/26 icmp type 4
0 0 LD all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 LD all -f * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5
13 1215 myrules all -- * * 192.168.10.0/24 0.0.0.0/0
0 0 myrules all -- * * 192.168.1.0/24 0.0.0.0/0
0 0 LD all -- eth0 * 0.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 1.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 2.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 5.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 7.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 10.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 23.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 27.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 31.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 36.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 37.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 39.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 41.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 42.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 49.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 50.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 58.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 59.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 70.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 71.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 72.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 73.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 74.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 75.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 76.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 77.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 78.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 79.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 83.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 84.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 85.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 86.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 87.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 88.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 89.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 90.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 91.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 92.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 93.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 94.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 95.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 96.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 97.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 98.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 99.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 100.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 101.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 102.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 103.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 104.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 105.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 106.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 107.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 108.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 109.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 110.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 111.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 112.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 113.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 114.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 115.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 116.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 117.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 118.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 119.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 120.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 121.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 122.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 123.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 124.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 125.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 126.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 127.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 169.254.0.0/16 194.249.51.64/26
0 0 LD all -- eth0 * 172.16.0.0/12 194.249.51.64/26
0 0 LD all -- eth0 * 173.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 174.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 175.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 176.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 177.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 178.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 179.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 180.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 181.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 182.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 183.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 184.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 185.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 186.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 187.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 189.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 190.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 192.0.2.0/24 194.249.51.64/26
0 0 LD all -- eth0 * 192.168.0.0/16 194.249.51.64/26
0 0 LD all -- eth0 * 197.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 198.18.0.0/15 194.249.51.64/26
0 0 LD all -- eth0 * 223.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 224.0.0.0/3 194.249.51.64/26
0 0 LD tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:31337 limit: avg 2/min burst 5
0 0 LD udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpt:31337 limit: avg 2/min burst 5
0 0 LD tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:33270 limit: avg 2/min burst 5
0 0 LD udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpt:33270 limit: avg 2/min burst 5
0 0 LD tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:1234 limit: avg 2/min burst 5
0 0 LD tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:6711 limit: avg 2/min burst 5
0 0 LD tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:16660 flags:0x16/0x02 limit: avg 2/min burst 5
0 0 LD tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:60001 flags:0x16/0x02 limit: avg 2/min burst 5
0 0 LD tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpts:12345:12346 limit: avg 2/min burst 5
0 0 LD udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpts:12345:12346 limit: avg 2/min burst 5
0 0 LD tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:135 limit: avg 2/min burst 5
0 0 LD udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpt:135 limit: avg 2/min burst 5
0 0 LD tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:1524 limit: avg 2/min burst 5
0 0 LD tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:27665 limit: avg 2/min burst 5
0 0 LD udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpt:27444 limit: avg 2/min burst 5
0 0 LD udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpt:31335 limit: avg 2/min burst 5
0 0 LD all -- * * 224.0.0.0/8 0.0.0.0/0
0 0 LD all -- * * 0.0.0.0/0 224.0.0.0/8
0 0 LD all -- * * 255.255.255.255 0.0.0.0/0
0 0 LD all -- * * 0.0.0.0/0 0.0.0.0
0 0 DROP all -- eth0 * 10.0.0.255 0.0.0.0/0
0 0 DROP all -- eth0 * 0.0.0.0 0.0.0.0/0
0 0 DROP all -- eth0 * 0.0.0.0/0 255.255.255.255
0 0 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0
0 0 LD all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 LD all -f * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5
0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:20 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:465
0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:143
0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:995
0 0 LD tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 dpts:1023:65535 flags:!0x16/0x02 state RELATED
0 0 STATE tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpts:1024:65535
0 0 ACCEPT udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpts:1023:65535
0 0 LD all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 UNCLEAN all -- * * 0.0.0.0/0 0.0.0.0/0 unclean
0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.10 tcp dpt:21
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.10.10 udp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.10 tcp dpt:25
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.10.10 udp dpt:25
18 3062 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.10 tcp dpt:80
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.10.10 udp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.10 tcp dpt:110
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.10.10 udp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.10 tcp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.10.10 udp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.10 tcp dpt:465
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.10.10 udp dpt:465
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.10 tcp dpt:995
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.10.10 udp dpt:995
24 26007 myrules all -- * eth0 192.168.10.0/24 0.0.0.0/0
0 0 myrules all -- * * 0.0.0.0/0 192.168.10.0/24
0 0 myrules all -- * eth0 192.168.1.0/24 0.0.0.0/0
0 0 myrules all -- * * 0.0.0.0/0 192.168.1.0/24
0 0 myrules tcp -- eth1 eth1 192.168.10.0/24 192.168.10.10 tcp dpt:3128
0 0 myrules tcp -- eth2 eth2 192.168.1.0/24 192.168.10.10 tcp dpt:3128
Chain OUTPUT (policy DROP 4 packets, 218 bytes)
pkts bytes target prot opt in out source destination
0 0 UNCLEAN all -- * eth0 0.0.0.0/0 0.0.0.0/0 unclean
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 LD tcp -- * * 194.249.51.64/26 0.0.0.0/0 tcp dpt:31337 limit: avg 2/min burst 5
0 0 LD udp -- * * 194.249.51.64/26 0.0.0.0/0 udp dpt:31337 limit: avg 2/min burst 5
0 0 LD tcp -- * * 194.249.51.64/26 0.0.0.0/0 tcp dpt:33270 limit: avg 2/min burst 5
0 0 LD udp -- * * 194.249.51.64/26 0.0.0.0/0 udp dpt:33270 limit: avg 2/min burst 5
0 0 LD tcp -- * * 194.249.51.64/26 0.0.0.0/0 tcp dpt:1234 limit: avg 2/min burst 5
0 0 LD tcp -- * * 194.249.51.64/26 0.0.0.0/0 tcp dpt:6711 limit: avg 2/min burst 5
0 0 LD tcp -- * * 194.249.51.64/26 0.0.0.0/0 tcp dpt:16660 flags:0x16/0x02 limit: avg 2/min burst 5
0 0 LD tcp -- * * 194.249.51.64/26 0.0.0.0/0 tcp dpt:60001 flags:0x16/0x02 limit: avg 2/min burst 5
0 0 LD tcp -- * * 194.249.51.64/26 0.0.0.0/0 tcp dpts:12345:12346 limit: avg 2/min burst 5
0 0 LD udp -- * * 194.249.51.64/26 0.0.0.0/0 udp dpts:12345:12346 limit: avg 2/min burst 5
0 0 LD tcp -- * * 194.249.51.64/26 0.0.0.0/0 tcp dpt:135 limit: avg 2/min burst 5
0 0 LD udp -- * * 194.249.51.64/26 0.0.0.0/0 udp dpt:135 limit: avg 2/min burst 5
0 0 LD tcp -- * * 194.249.51.64/26 0.0.0.0/0 tcp dpt:1524 limit: avg 2/min burst 5
0 0 LD tcp -- * * 194.249.51.64/26 0.0.0.0/0 tcp dpt:27665 limit: avg 2/min burst 5
0 0 LD udp -- * * 194.249.51.64/26 0.0.0.0/0 udp dpt:27444 limit: avg 2/min burst 5
0 0 LD udp -- * * 194.249.51.64/26 0.0.0.0/0 udp dpt:31335 limit: avg 2/min burst 5
0 0 LD all -- * * 224.0.0.0/8 0.0.0.0/0
0 0 LD all -- * * 0.0.0.0/0 224.0.0.0/8
0 0 LD all -- * * 255.255.255.255 0.0.0.0/0
0 0 LD all -- * * 0.0.0.0/0 0.0.0.0
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW
17 941 all -- * * 0.0.0.0/0 0.0.0.0/0 TTL match TTL == 64
0 0 ACCEPT icmp -- * eth0 194.249.51.64/26 0.0.0.0/0
16 872 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LD (158 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain SANITY (0 references)
pkts bytes target prot opt in out source destination
0 0 LD all -- * * 0.0.0.0/0 0.0.0.0/0
Chain STATE (1 references)
pkts bytes target prot opt in out source destination
0 0 LD all -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 LD all -- * * 0.0.0.0/0 0.0.0.0/0
Chain UNCLEAN (3 references)
pkts bytes target prot opt in out source destination
0 0 LD all -- * * 0.0.0.0/0 0.0.0.0/0
Chain myrules (8 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 192.168.10.1 0.0.0.0/0 MAC 00:0C:6E:F1:F3:48
0 0 ACCEPT all -- * * 192.168.10.111 0.0.0.0/0 MAC 00:50:BF:7A:5E:E5
0 0 ACCEPT all -- * * 192.168.1.111 0.0.0.0/0 MAC 00:40:F4:60:D0:39
37 27222 ACCEPT all -- * * 192.168.10.10 0.0.0.0/0 MAC 00:C0:26:28:8E:59
0 0 ACCEPT all -- * * 194.249.51.74 0.0.0.0/0 MAC 00:30:4F:24:58:01
0 0 ACCEPT all -- * * 192.168.10.30 0.0.0.0/0 MAC 00:E0:18:88:53:F0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
[-- Attachment #4: iptables-before --]
[-- Type: text/plain, Size: 23526 bytes --]
Chain INPUT (policy DROP 4 packets, 250 bytes)
pkts bytes target prot opt in out source destination
0 0 UNCLEAN all -- eth0 * 0.0.0.0/0 0.0.0.0/0 unclean
0 0 ACCEPT tcp -- * * 127.0.0.1 0.0.0.0/0 tcp flags:!0x16/0x02
0 0 ACCEPT udp -- * * 127.0.0.1 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 LD icmp -- * * 0.0.0.0/0 194.249.51.64/26 icmp type 8
0 0 LD udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpt:33434
0 0 LD icmp -- * * 0.0.0.0/0 194.249.51.64/26 icmp type 3
0 0 LD icmp -- * * 0.0.0.0/0 194.249.51.64/26 icmp type 3 code 1
0 0 LD icmp -- * * 0.0.0.0/0 194.249.51.64/26 icmp type 13
0 0 LD icmp -- * * 0.0.0.0/0 194.249.51.64/26 icmp type 14
0 0 LD icmp -- * * 0.0.0.0/0 194.249.51.64/26 icmp type 17
0 0 LD icmp -- * * 0.0.0.0/0 194.249.51.64/26 icmp type 18
0 0 LD icmp -- * * 0.0.0.0/0 194.249.51.64/26 icmp type 5
0 0 LD icmp -- * * 0.0.0.0/0 194.249.51.64/26 icmp type 4
0 0 LD all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 LD all -f * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5
42 2859 ACCEPT all -- * * 192.168.10.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.1.0/24 0.0.0.0/0
0 0 LD all -- eth0 * 0.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 1.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 2.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 5.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 7.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 10.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 23.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 27.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 31.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 36.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 37.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 39.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 41.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 42.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 49.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 50.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 58.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 59.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 70.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 71.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 72.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 73.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 74.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 75.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 76.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 77.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 78.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 79.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 83.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 84.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 85.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 86.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 87.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 88.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 89.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 90.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 91.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 92.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 93.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 94.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 95.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 96.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 97.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 98.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 99.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 100.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 101.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 102.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 103.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 104.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 105.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 106.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 107.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 108.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 109.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 110.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 111.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 112.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 113.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 114.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 115.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 116.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 117.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 118.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 119.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 120.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 121.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 122.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 123.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 124.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 125.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 126.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 127.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 169.254.0.0/16 194.249.51.64/26
0 0 LD all -- eth0 * 172.16.0.0/12 194.249.51.64/26
0 0 LD all -- eth0 * 173.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 174.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 175.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 176.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 177.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 178.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 179.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 180.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 181.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 182.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 183.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 184.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 185.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 186.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 187.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 189.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 190.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 192.0.2.0/24 194.249.51.64/26
0 0 LD all -- eth0 * 192.168.0.0/16 194.249.51.64/26
0 0 LD all -- eth0 * 197.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 198.18.0.0/15 194.249.51.64/26
0 0 LD all -- eth0 * 223.0.0.0/8 194.249.51.64/26
0 0 LD all -- eth0 * 224.0.0.0/3 194.249.51.64/26
0 0 LD tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:31337 limit: avg 2/min burst 5
0 0 LD udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpt:31337 limit: avg 2/min burst 5
0 0 LD tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:33270 limit: avg 2/min burst 5
0 0 LD udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpt:33270 limit: avg 2/min burst 5
0 0 LD tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:1234 limit: avg 2/min burst 5
0 0 LD tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:6711 limit: avg 2/min burst 5
0 0 LD tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:16660 flags:0x16/0x02 limit: avg 2/min burst 5
0 0 LD tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:60001 flags:0x16/0x02 limit: avg 2/min burst 5
0 0 LD tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpts:12345:12346 limit: avg 2/min burst 5
0 0 LD udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpts:12345:12346 limit: avg 2/min burst 5
0 0 LD tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:135 limit: avg 2/min burst 5
0 0 LD udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpt:135 limit: avg 2/min burst 5
0 0 LD tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:1524 limit: avg 2/min burst 5
0 0 LD tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:27665 limit: avg 2/min burst 5
0 0 LD udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpt:27444 limit: avg 2/min burst 5
0 0 LD udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpt:31335 limit: avg 2/min burst 5
0 0 LD all -- * * 224.0.0.0/8 0.0.0.0/0
0 0 LD all -- * * 0.0.0.0/0 224.0.0.0/8
0 0 LD all -- * * 255.255.255.255 0.0.0.0/0
0 0 LD all -- * * 0.0.0.0/0 0.0.0.0
0 0 DROP all -- eth0 * 10.0.0.255 0.0.0.0/0
0 0 DROP all -- eth0 * 0.0.0.0 0.0.0.0/0
0 0 DROP all -- eth0 * 0.0.0.0/0 255.255.255.255
0 0 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0
0 0 LD all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 LD all -f * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5
0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:20 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:465
0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:143
0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:995
0 0 LD tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 dpts:1023:65535 flags:!0x16/0x02 state RELATED
0 0 STATE tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpts:1024:65535
1 91 ACCEPT udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpts:1023:65535
0 0 LD all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 UNCLEAN all -- * * 0.0.0.0/0 0.0.0.0/0 unclean
17 932 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.10 tcp dpt:21
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.10.10 udp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.10 tcp dpt:25
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.10.10 udp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.10 tcp dpt:80
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.10.10 udp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.10 tcp dpt:110
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.10.10 udp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.10 tcp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.10.10 udp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.10 tcp dpt:465
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.10.10 udp dpt:465
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.10 tcp dpt:995
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.10.10 udp dpt:995
63 3696 ACCEPT all -- * eth0 192.168.10.0/24 0.0.0.0/0
70 8690 ACCEPT all -- * * 0.0.0.0/0 192.168.10.0/24
0 0 ACCEPT all -- * eth0 192.168.1.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.1.0/24
0 0 ACCEPT tcp -- eth1 eth1 192.168.10.0/24 192.168.10.10 tcp dpt:3128
0 0 ACCEPT tcp -- eth2 eth2 192.168.1.0/24 192.168.10.10 tcp dpt:3128
Chain OUTPUT (policy DROP 1 packets, 69 bytes)
pkts bytes target prot opt in out source destination
0 0 UNCLEAN all -- * eth0 0.0.0.0/0 0.0.0.0/0 unclean
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
60 4930 ACCEPT all -- * * 192.168.10.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.1.0/24 0.0.0.0/0
0 0 ACCEPT icmp -- * * 192.168.10.0/24 0.0.0.0/0
0 0 ACCEPT icmp -- * * 192.168.1.0/24 0.0.0.0/0
0 0 LD tcp -- * * 194.249.51.64/26 0.0.0.0/0 tcp dpt:31337 limit: avg 2/min burst 5
0 0 LD udp -- * * 194.249.51.64/26 0.0.0.0/0 udp dpt:31337 limit: avg 2/min burst 5
0 0 LD tcp -- * * 194.249.51.64/26 0.0.0.0/0 tcp dpt:33270 limit: avg 2/min burst 5
0 0 LD udp -- * * 194.249.51.64/26 0.0.0.0/0 udp dpt:33270 limit: avg 2/min burst 5
0 0 LD tcp -- * * 194.249.51.64/26 0.0.0.0/0 tcp dpt:1234 limit: avg 2/min burst 5
0 0 LD tcp -- * * 194.249.51.64/26 0.0.0.0/0 tcp dpt:6711 limit: avg 2/min burst 5
0 0 LD tcp -- * * 194.249.51.64/26 0.0.0.0/0 tcp dpt:16660 flags:0x16/0x02 limit: avg 2/min burst 5
0 0 LD tcp -- * * 194.249.51.64/26 0.0.0.0/0 tcp dpt:60001 flags:0x16/0x02 limit: avg 2/min burst 5
0 0 LD tcp -- * * 194.249.51.64/26 0.0.0.0/0 tcp dpts:12345:12346 limit: avg 2/min burst 5
0 0 LD udp -- * * 194.249.51.64/26 0.0.0.0/0 udp dpts:12345:12346 limit: avg 2/min burst 5
0 0 LD tcp -- * * 194.249.51.64/26 0.0.0.0/0 tcp dpt:135 limit: avg 2/min burst 5
0 0 LD udp -- * * 194.249.51.64/26 0.0.0.0/0 udp dpt:135 limit: avg 2/min burst 5
0 0 LD tcp -- * * 194.249.51.64/26 0.0.0.0/0 tcp dpt:1524 limit: avg 2/min burst 5
0 0 LD tcp -- * * 194.249.51.64/26 0.0.0.0/0 tcp dpt:27665 limit: avg 2/min burst 5
0 0 LD udp -- * * 194.249.51.64/26 0.0.0.0/0 udp dpt:27444 limit: avg 2/min burst 5
0 0 LD udp -- * * 194.249.51.64/26 0.0.0.0/0 udp dpt:31335 limit: avg 2/min burst 5
0 0 LD all -- * * 224.0.0.0/8 0.0.0.0/0
0 0 LD all -- * * 0.0.0.0/0 224.0.0.0/8
0 0 LD all -- * * 255.255.255.255 0.0.0.0/0
0 0 LD all -- * * 0.0.0.0/0 0.0.0.0
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW
1 75 all -- * * 0.0.0.0/0 0.0.0.0/0 TTL match TTL == 64
0 0 ACCEPT icmp -- * eth0 194.249.51.64/26 0.0.0.0/0
1 75 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LD (158 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain SANITY (0 references)
pkts bytes target prot opt in out source destination
0 0 LD all -- * * 0.0.0.0/0 0.0.0.0/0
Chain STATE (1 references)
pkts bytes target prot opt in out source destination
0 0 LD all -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 LD all -- * * 0.0.0.0/0 0.0.0.0/0
Chain UNCLEAN (3 references)
pkts bytes target prot opt in out source destination
0 0 LD all -- * * 0.0.0.0/0 0.0.0.0/0
[-- Attachment #5: iptables-nat-after --]
[-- Type: text/plain, Size: 3771 bytes --]
Chain PREROUTING (policy ACCEPT 195663 packets, 58692648 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:21 to:192.168.10.10:21
0 0 DNAT udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpt:21 to:192.168.10.10:21
0 0 DNAT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:25 to:192.168.10.10:25
0 0 DNAT udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpt:25 to:192.168.10.10:25
0 0 DNAT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:80 to:192.168.10.10:80
0 0 DNAT udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpt:80 to:192.168.10.10:80
0 0 DNAT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:110 to:192.168.10.10:110
0 0 DNAT udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpt:110 to:192.168.10.10:110
0 0 DNAT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:443 to:192.168.10.10:443
0 0 DNAT udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpt:443 to:192.168.10.10:443
0 0 DNAT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:465 to:192.168.10.10:465
0 0 DNAT udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpt:465 to:192.168.10.10:465
0 0 DNAT tcp -- * * 0.0.0.0/0 194.249.51.64/26 tcp dpt:995 to:192.168.10.10:995
0 0 DNAT udp -- * * 0.0.0.0/0 194.249.51.64/26 udp dpt:995 to:192.168.10.10:995
0 0 DNAT tcp -- eth1 * !192.168.10.10 0.0.0.0/0 tcp dpt:80 to:192.168.10.10:3128
0 0 DNAT tcp -- eth2 * !192.168.10.10 0.0.0.0/0 tcp dpt:80 to:192.168.10.10:3128
Chain POSTROUTING (policy ACCEPT 7354 packets, 377864 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT tcp -- * * 192.168.10.0/24 192.168.10.10 tcp dpt:21 to:192.168.10.111
0 0 SNAT tcp -- * * 192.168.10.0/24 192.168.10.10 tcp dpt:25 to:192.168.10.111
0 0 SNAT tcp -- * * 192.168.10.0/24 192.168.10.10 tcp dpt:80 to:192.168.10.111
0 0 SNAT tcp -- * * 192.168.10.0/24 192.168.10.10 tcp dpt:110 to:192.168.10.111
0 0 SNAT tcp -- * * 192.168.10.0/24 192.168.10.10 tcp dpt:443 to:192.168.10.111
0 0 SNAT tcp -- * * 192.168.10.0/24 192.168.10.10 tcp dpt:465 to:192.168.10.111
0 0 SNAT tcp -- * * 192.168.10.0/24 192.168.10.10 tcp dpt:995 to:192.168.10.111
0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 194.249.51.64/26 0.0.0.0/0
0 0 SNAT all -- * eth1 192.168.10.0/24 192.168.10.10 to:192.168.10.111
0 0 SNAT all -- * eth2 192.168.1.0/24 192.168.10.10 to:192.168.1.111
Chain OUTPUT (policy ACCEPT 8233 packets, 626786 bytes)
pkts bytes target prot opt in out source destination
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: MAC address and iptables
2004-02-29 22:03 ` Antony Stone
2004-03-01 6:27 ` Sasa Stupar
@ 2004-03-01 6:42 ` Sasa Stupar
2004-03-01 9:34 ` Sasa Stupar
1 sibling, 1 reply; 17+ messages in thread
From: Sasa Stupar @ 2004-03-01 6:42 UTC (permalink / raw)
To: Netfilter-List
[-- Attachment #1: Type: text/plain, Size: 762 bytes --]
> If you can post your ruleset in a format we can understand
("iptables -L -nvx;
> iptables -L -t nat -nvx" is good), keep the ruleset to the smallest possible
> number which shows the problem you have, and explain what you changed when
> the problem started, we may be able to help.
OK, I have done ruleset in the format you have advised and they are
attached. I have made two pair: on before (working config) and one after
the change. I have named it as follows:
- for command "iptables -L -nvx" they are called iptables-before and
iptables-after
- for command "iptables -L -t nat -nvx" they are called
iptables-nat-before and iptables-nat-after
I hope that it is now more readable. Sorry, but I am new to this.
Thank you again for helping me,
Sasa
[-- Attachment #2: iptables.zip --]
[-- Type: application/x-zip-compressed, Size: 4702 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: MAC address and iptables
2004-03-01 6:42 ` Sasa Stupar
@ 2004-03-01 9:34 ` Sasa Stupar
0 siblings, 0 replies; 17+ messages in thread
From: Sasa Stupar @ 2004-03-01 9:34 UTC (permalink / raw)
To: Netfilter-List
Nevermind, I have solved the problem myself.
Thank you all for helping me out.
Sasa
^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2004-03-01 9:34 UTC | newest]
Thread overview: 17+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-02-29 13:45 MAC addres and iptables Sasa Stupar
2004-02-29 13:55 ` Antony Stone
2004-02-29 14:06 ` Sasa Stupar
2004-02-29 14:14 ` MAC address " Antony Stone
2004-02-29 14:38 ` MAC addres " Sasa Stupar
2004-02-29 15:12 ` MAC address " Antony Stone
2004-02-29 15:40 ` Sasa Stupar
2004-02-29 15:55 ` Antony Stone
2004-02-29 16:02 ` Sasa Stupar
2004-02-29 16:14 ` David Cannings
2004-02-29 16:16 ` Antony Stone
2004-02-29 18:10 ` Sasa Stupar
2004-02-29 21:44 ` Sasa Stupar
2004-02-29 22:03 ` Antony Stone
2004-03-01 6:27 ` Sasa Stupar
2004-03-01 6:42 ` Sasa Stupar
2004-03-01 9:34 ` Sasa Stupar
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.