From: Brandon Evans <maillists@hosttuls.com>
To: edvin.seferovic@kolp.at
Cc: netfilter@lists.netfilter.org
Subject: Re: HowTo connect a Cisco 2950 switch behind iptables?
Date: Thu, 13 Oct 2005 15:13:50 -0700 [thread overview]
Message-ID: <434EDC1E.2050702@hosttuls.com> (raw)
In-Reply-To: <200510132202.j9DM22aU007735@virt20t.secure-wi.com>
Seferovic Edvin wrote:
> Hi,
>
> how about posting a detailed topology and your firewall script? At this
> point, we can only guess what could be wrong in your setup..
Here is my firewall script. eth0 is conencted to the WAN, eth0 is the LAN
Thanks,
Brandon
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [150:10999]
:bad_addresses - [0:0]
:win_servers - [0:0]
:win_ports - [0:0]
:webint_ips - [0:0]
:webint_ports - [0:0]
# Allow any traffic originating locally
-A INPUT -i lo -j ACCEPT
# put in your trusted address here so you can't lock yourself out
-A INPUT -i eth0 -s 66.xxx.xxx.32/27 -j ACCEPT
-A INPUT -i eth1 -s 10.10.10.0/24 -j ACCEPT
# Weed out bad addresses
-A INPUT -i eth0 -j bad_addresses
# Allow windows only ports
-A INPUT -i eth0 -j win_servers
# Allow wi ip only ports
-A INPUT -i eth0 -j webint_ips
# Drop stealth scans
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE
-j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN
-j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST
-j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST
-j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags ACK,FIN FIN
-j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags ACK,URG URG
-j DROP
# Allow services that have already been established
-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Restrict ICMP traffic
#-A INPUT -i eth0 -p icmp -m icmp --icmp-type echo-reply -j
DROP
#-A INPUT -i eth0 -p icmp -m icmp --icmp-type destination-unreachable -j
DROP
#-A INPUT -i eth0 -p icmp -m icmp --icmp-type echo-request -j
DROP
#-A INPUT -i eth0 -p icmp -m icmp --icmp-type time-exceeded -j
DROP
#########################################
# Allow services we provide to everyone
#########################################
# SSH
-A INPUT -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN
-j ACCEPT
# FTP access
-A INPUT -i eth0 -p tcp -m tcp --dport 20 --tcp-flags SYN,RST,ACK SYN
-j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN
-j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1024:65535 --tcp-flags
SYN,RST,ACK SYN -j ACCEPT
# DNS
#-A INPUT -i eth0 -p tcp -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN
-j ACCEPT
#-A INPUT -i eth0 -p udp -m udp --dport 53
-j ACCEPT
# HTTP
#-A INPUT -i eth0 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN
-j ACCEPT
# NTP
-A INPUT -i eth0 -p tcp -m tcp --dport 123 --tcp-flags SYN,RST,ACK SYN
-j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 123 -j ACCEPT
# Log everything else
#-A INPUT -m limit --limit 3 -j LOG --log-level debug
# --- Bad Address tables --- ###########################
-A bad_addresses -s 192.168.0.0/255.255.0.0 -j DROP
#-A bad_addresses -s 10.0.0.0/255.0.0.0 -j DROP
-A bad_addresses -s 172.16.0.0/12 -j DROP
-A bad_addresses -s 127.0.0.0/8 -j DROP
-A bad_addresses -s 0.0.0.0/8 -j DROP
-A bad_addresses -s 169.254.0.0/16 -j DROP
-A bad_addresses -s 224.0.0.0/4 -j DROP
-A bad_addresses -s 240.0.0.0/5 -j DROP
-A bad_addresses -d 224.0.0.0/4 -p ! udp -j DROP
# hack attempts
-A bad_addresses -s 211.230.148.87 -j DROP
-A bad_addresses -s 211.214.160.231 -j DROP
-A bad_addresses -s 193.126.240.21 -j DROP
-A bad_addresses -s 71.34.213.207 -j DROP
##########################################################
# --- Windows Servers --- ###############################
# win1s
-A win_servers -s 209.xxx.xxx.xxx -j win_ports
# win2p
-A win_servers -s 209.xxx.xxx.xxx -j win_ports
# mssql1
-A win_servers -s 209.xxx.xxx.xxx -j win_ports
-A win_servers -s 209.xxx.xxx.xxx -j win_ports
##########################################################
# --- Windows Ports ---
######################################################################
#-A win_ports -i eth0 -p tcp -m multiport --dport 22,80 --tcp-flags
SYN,RST,ACK SYN -j ACCEPT
-A win_ports -i eth0 -p tcp -m tcp --dport 137:139 --tcp-flags
SYN,RST,ACK SYN -j ACCEPT
-A win_ports -i eth0 -p udp -m udp --dport 137:139 -j ACCEPT
##############################################################################################
# --- IP Ranges --- ###########################
# ADN ip's
-A webint_ips -s 207.xxx.xxx.0\24 -j webint_ports
<Snip>
-A webint_ips -s 209.xxx.xxx.0/24 -j webint_ports
##############################################################
# --- for WI servers only --- ########################################
# Cfengine
-A webint_ports -i eth0 -p tcp -m tcp --dport 5308 --tcp-flags
SYN,RST,ACK SYN -j ACCEPT
# Syslog
-A webint_ports -i eth0 -p udp -m udp --dport 514 -j ACCEPT
# Bacula File Daemon
-A webint_ports -i eth0 -p udp -m udp --dport 9102 -j ACCEPT
#############################################################################################
# Allow all connections OUT and only existing and related ones IN
#-A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -j LOG
COMMIT
# Enabling SNAT (MASQUERADE) functionality on eth0
*nat
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
--
Thanks,
Brandon Evans
"I wouldn't recommend sex, drugs or insanity for everyone, but they've
always worked for me."
-Hunter S. Thompson
next parent reply other threads:[~2005-10-13 22:13 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <200510132202.j9DM22aU007735@virt20t.secure-wi.com>
2005-10-13 22:13 ` Brandon Evans [this message]
[not found] <200510132115.j9DLFDaU018407@virt20t.secure-wi.com>
2005-10-13 21:50 ` HowTo connect a Cisco 2950 switch behind iptables? Brandon Evans
2005-10-13 21:56 ` Seferovic Edvin
2005-10-13 21:02 Brandon Evans
2005-10-13 21:09 ` Seferovic Edvin
2005-10-14 23:57 ` Brandon Evans
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=434EDC1E.2050702@hosttuls.com \
--to=maillists@hosttuls.com \
--cc=edvin.seferovic@kolp.at \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.