From mboxrd@z Thu Jan 1 00:00:00 1970 From: Anthony DiSante Subject: Re: forwarded ports become "filtered" instead of "open" Date: Wed, 10 Aug 2005 13:27:35 -0400 Message-ID: <42FA3907.6040606@nodivisions.com> References: <42F9046F.9090004@nodivisions.com> <42FA17D6.1030707@mnemon.de> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <42FA17D6.1030707@mnemon.de> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="iso-8859-1"; format="flowed" To: netfilter@lists.netfilter.org J=F6rg Harmuth wrote: >>Can anyone offer some pointers here? I imagine more of my narc.conf >>and/or iptables' output would be helpful, but rather than me attaching >>the whole thing right now, just ask if you want me to post any of that. >=20 >=20 > Yes, please do "iptables-save > " and paste the content of the > file into your posting, after changing information that must not be > public (if any). Some other info like kernel version, interfaces (if > more than one)and iptables version may be useful too. I only have one network interface (not counting lo). Here's the rest of=20 that info: # uname -a Linux box1 2.6.8-2-686-smp #1 SMP Thu May 19 17:27:55 JST 2005 i686 GNU/Lin= ux # iptables --version iptables v1.3.1 # iptables-save # Generated by iptables-save v1.3.1 on Wed Aug 10 13:21:27 2005 *mangle :PREROUTING ACCEPT [3810743:1593668883] :INPUT ACCEPT [3810723:1593667323] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [5229526:6297115310] :POSTROUTING ACCEPT [5233616:6298102388] -A PREROUTING -d 0.0.0.0/255.0.0.0 -i eth0 -m state --state NEW -j DROP -A PREROUTING -d 255.255.255.255 -i eth0 -m state --state NEW -j DROP -A PREROUTING -d 224.0.0.0/240.0.0.0 -i eth0 -m state --state NEW -j DROP -A PREROUTING -d 0.0.0.0/255.0.0.0 -i eth0 -m state --state NEW -j DROP -A PREROUTING -d 255.255.255.255 -i eth0 -m state --state NEW -j DROP -A PREROUTING -d 224.0.0.0/240.0.0.0 -i eth0 -m state --state NEW -j DROP COMMIT # Completed on Wed Aug 10 13:21:27 2005 # Generated by iptables-save v1.3.1 on Wed Aug 10 13:21:27 2005 *nat :PREROUTING ACCEPT [253511:23814701] :POSTROUTING ACCEPT [23451:1825798] :OUTPUT ACCEPT [23451:1825798] COMMIT # Completed on Wed Aug 10 13:21:27 2005 # Generated by iptables-save v1.3.1 on Wed Aug 10 13:21:27 2005 *filter :CUST_LOG - [0:0] :ICMP_CHK - [0:0] :INPUT DROP [5:272] :FORWARD DROP [0:0] :OUTPUT ACCEPT [60966:44974754] :SANITY_CHK - [0:0] :SPOOF_CHK - [0:0] :STATE_CHK - [0:0] :TCP_CHK - [0:0] :UDP_CHK - [0:0] -A CUST_LOG -s 127.0.0.0/255.0.0.0 -i eth0 -j LOG --log-prefix "SPOOF "=20 --log-level 7 --log-tcp-options --log-ip-options -A CUST_LOG -s 240.0.0.0/248.0.0.0 -i eth0 -j LOG --log-prefix "SPOOF "=20 --log-level 7 --log-tcp-options --log-ip-options -A CUST_LOG -s 248.0.0.0/248.0.0.0 -i eth0 -j LOG --log-prefix "SPOOF "=20 --log-level 7 --log-tcp-options --log-ip-options -A CUST_LOG -s 172.16.0.0/255.240.0.0 -i eth0 -j LOG --log-prefix "SPOOF " = --log-level 7 --log-tcp-options --log-ip-options -A CUST_LOG -s 192.168.0.0/255.255.0.0 -i eth0 -j LOG --log-prefix "SPOOF "= =20 --log-level 7 --log-tcp-options --log-ip-options -A CUST_LOG -s 10.0.0.12 -i eth0 -j LOG --log-prefix "SPOOF " --log-level 7= =20 --log-tcp-options --log-ip-options -A CUST_LOG -p tcp -m multiport --dports=20 23,81,111,123,161,445,515,555,1234,1241,1243,1433,1494,2049,3306 -j LOG=20 --log-prefix "PROBE " --log-level 7 --log-tcp-options --log-ip-options -A CUST_LOG -p tcp -m multiport --dports=20 3128,3389,5631,5632,6635,8080,9055,12345,24452,27374,27573,31337,42484 -j=20 LOG --log-prefix "PROBE " --log-level 7 --log-tcp-options --log-ip-options -A CUST_LOG -p udp -m multiport --dports=20 22,161,1025,3283,5634,5882,28431,31337,31789 -j LOG --log-prefix "PROBE "=20 --log-level 7 --log-ip-options -A CUST_LOG -j DROP -A ICMP_CHK -p icmp -m icmp --icmp-type 0 -m limit --limit 1/sec -j ACCEPT -A ICMP_CHK -p icmp -m icmp --icmp-type 3/0 -m limit --limit 1/sec -j ACCEPT -A ICMP_CHK -p icmp -m icmp --icmp-type 3/1 -m limit --limit 1/sec -j ACCEPT -A ICMP_CHK -p icmp -m icmp --icmp-type 3/3 -m limit --limit 1/sec -j ACCEPT -A ICMP_CHK -p icmp -m icmp --icmp-type 3/4 -m limit --limit 1/sec -j ACCEPT -A ICMP_CHK -p icmp -m icmp --icmp-type 11 -m limit --limit 1/sec -j ACCEPT -A ICMP_CHK -j DROP -A INPUT -j SPOOF_CHK -A INPUT -p tcp -j SANITY_CHK -A INPUT -j STATE_CHK -A INPUT -s 127.0.0.0/255.255.255.0 -d 127.0.0.0/255.255.255.0 -i lo -m=20 state --state NEW -j ACCEPT -A INPUT -p tcp -j TCP_CHK -A INPUT -p udp -j UDP_CHK -A INPUT -p icmp -j ICMP_CHK -A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j = DROP -A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH -j = DROP -A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,ACK= =20 -j DROP -A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH= =20 -j DROP -A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST= =20 -j DROP -A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG=20 FIN,SYN,RST,PSH -j DROP -A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG=20 FIN,SYN,RST,ACK -j DROP -A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG=20 FIN,SYN,RST,PSH,ACK -j DROP -A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG=20 FIN,SYN,RST,PSH,ACK,URG -j DROP -A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP -A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A SPOOF_CHK -s 127.0.0.0/255.0.0.0 -i eth0 -j CUST_LOG -A SPOOF_CHK -s 240.0.0.0/248.0.0.0 -i eth0 -j CUST_LOG -A SPOOF_CHK -s 248.0.0.0/248.0.0.0 -i eth0 -j CUST_LOG -A SPOOF_CHK -s 172.16.0.0/255.240.0.0 -i eth0 -j CUST_LOG -A SPOOF_CHK -s 192.168.0.0/255.255.0.0 -i eth0 -j CUST_LOG -A SPOOF_CHK -s 10.0.0.12 -i eth0 -j CUST_LOG -A STATE_CHK -m state --state RELATED,ESTABLISHED -j ACCEPT -A STATE_CHK -m state --state INVALID -j DROP -A STATE_CHK -p tcp -m state --state NEW -m tcp ! --tcp-flags SYN,RST,ACK=20 SYN -j DROP -A TCP_CHK -s 10.0.0.12 -d 10.0.0.12 -p tcp -m tcp --dport 3029:3038 -j ACC= EPT -A TCP_CHK -s 10.0.0.12 -d 10.0.0.12 -p tcp -m tcp --dport 5432 -j ACCEPT -A TCP_CHK -s 10.0.0.12 -d 10.0.0.12 -p tcp -m tcp --dport 3306 -j ACCEPT -A TCP_CHK -i eth0 -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j= =20 REJECT --reject-with tcp-reset -A TCP_CHK -i eth0 -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j= =20 REJECT --reject-with tcp-reset -A TCP_CHK -i eth0 -p tcp -m multiport --dports 22,873,80,9618 -m state=20 --state NEW -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A TCP_CHK -i eth0 -p tcp -m multiport --dports 22,80,873,9618 -m state=20 --state NEW -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A TCP_CHK -j CUST_LOG -A UDP_CHK -j CUST_LOG -A UDP_CHK -s 10.0.0.12 -d 10.0.0.12 -p udp -m udp --dport 5432 -j ACCEPT -A UDP_CHK -s 10.0.0.12 -d 10.0.0.12 -p udp -m udp --dport 3306 -j ACCEPT COMMIT # Completed on Wed Aug 10 13:21:27 2005 Thanks, Anthony DiSante http://encodable.com/ http://nodivisions.com/