From: Weedy <weedy2887@gmail.com>
To: netfilter@vger.kernel.org
Subject: iptables 1.4.x and xt_recent: my rules have fallen and they can't get up!
Date: Sat, 02 May 2009 04:00:55 -0400 [thread overview]
Message-ID: <49FBFDB7.4070204@gmail.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 843 bytes --]
So apparently this has become illegal, and neither google or me playing
around has figured out how to update it. Input is most welcome.
+ iptables -t nat -A prerouting_rule -i br-lan -p tcp --dport 80 -j
REDIRECT --to-port 3128
+ iptables -t nat -A prerouting_rule -p tcp --dport 2020 -m state
--state NEW -m recent --name ATTACKER_SSH --rsource --update --seconds
120 --hitcount 5 -j DROP
iptables v1.4.3.2:
The "nat" table is not intended for filtering, the use of DROP is
therefore inhibited.
Try `iptables -h' or 'iptables --help' for more information.
This is a openwrt router running the old firewall (not supported or I
would have asked on their mailing list) I will attach it encase anyone
wants to give it a quick peek and finds anything terribly wrong/outdated
(but it does currently work fine).
Thank you for your time.
[-- Attachment #2: firewall --]
[-- Type: text/plain, Size: 4120 bytes --]
#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org
## Please make changes in /etc/firewall.user
START=45
start() {
include /lib/network
scan_interfaces
config_get WAN wan ifname
config_get WANDEV wan device
config_get LAN lan ifname
config_get_bool NAT_LAN lan nat 1
if [ $NAT_LAN -ne 0 ]
then
config_get LAN_MASK lan netmask
config_get LAN_IP lan ipaddr
LAN_NET=$(/bin/ipcalc.sh $LAN_IP $LAN_MASK | grep NETWORK | cut -d= -f2)
fi
## CLEAR TABLES
for T in filter nat; do
iptables -t $T -F
iptables -t $T -X
done
iptables -N input_rule
iptables -N input_wan
iptables -N output_rule
iptables -N forwarding_rule
iptables -N forwarding_wan
iptables -t nat -N NEW
iptables -t nat -N prerouting_rule
iptables -t nat -N prerouting_wan
iptables -t nat -N postrouting_rule
iptables -N LAN_ACCEPT
[ -z "$WAN" ] || iptables -A LAN_ACCEPT -i "$WAN" -j RETURN
[ -z "$WANDEV" -o "$WANDEV" = "$WAN" ] || iptables -A LAN_ACCEPT -i "$WANDEV" -j RETURN
iptables -A LAN_ACCEPT -j ACCEPT
### INPUT
### (connections with the router as destination)
# base case
iptables -P INPUT DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A INPUT -j input_rule
[ -z "$WAN" ] || iptables -A INPUT -i $WAN -j input_wan
# allow
iptables -A INPUT -j LAN_ACCEPT # allow from lan/wifi interfaces
iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
iptables -A INPUT -p gre -j ACCEPT # allow GRE
# reject (what to do with anything not allowed earlier)
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
### OUTPUT
### (connections with the router as source)
# base case
iptables -P OUTPUT DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A OUTPUT -j output_rule
# allow
iptables -A OUTPUT -j ACCEPT #allow everything out
# reject (what to do with anything not allowed earlier)
iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
### FORWARDING
### (connections routed through the router)
# base case
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A FORWARD -j forwarding_rule
[ -z "$WAN" ] || iptables -A FORWARD -i $WAN -j forwarding_wan
# allow
iptables -A FORWARD -i $LAN -o $LAN -j ACCEPT
[ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
# reject (what to do with anything not allowed earlier)
# uses the default -P DROP
### MASQ
iptables -t nat -A PREROUTING -m state --state NEW -p tcp -j NEW
iptables -t nat -A PREROUTING -j prerouting_rule
[ -z "$WAN" ] || iptables -t nat -A PREROUTING -i "$WAN" -j prerouting_wan
iptables -t nat -A POSTROUTING -j postrouting_rule
### Only LAN, unless told not to
if [ $NAT_LAN -ne 0 ]
then
[ -z "$WAN" ] || iptables -t nat -A POSTROUTING --src $LAN_NET/$LAN_MASK -o $WAN -j MASQUERADE
fi
iptables -t nat -A NEW -m limit --limit 50 --limit-burst 100 -j RETURN && \
iptables -t nat -A NEW -j DROP
## USER RULES
[ -f /etc/firewall.user ] && . /etc/firewall.user
[ -n "$WAN" -a -e /etc/firewall.config ] && {
export WAN
awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/firewall.config | ash
}
}
stop() {
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t nat -X
}
[-- Attachment #3: firewall.user --]
[-- Type: text/plain, Size: 3843 bytes --]
#!/bin/sh
# Copyright (C) 2006 OpenWrt.org
# $Id: firewall.user 69 2009-04-29 17:58:40Z weedy $
WAN="$(uci -P /var/state get network.wan.ifname)"
LAN="$(uci -P /var/state get network.lan.ifname)"
WANIP=$(ifconfig $WAN | grep 'inet addr' | awk '{print $2}' | cut -d':' -f 2)
LANIP=$(ifconfig $LAN | grep 'inet addr' | awk '{print $2}' | cut -d':' -f 2)
iptables -A input_rule -p esp -j ACCEPT # allow IPSEC
iptables -A input_rule -p 17 --dport 500 -j ACCEPT # allow ISAKMP
iptables -A input_rule -p udp --dport 4500 -j ACCEPT # allow NAT-T
iptables -A forwarding_rule -m policy --dir in --pol ipsec --mode tunnel -j ACCEPT
iptables -A forwarding_rule -m policy --dir out --pol ipsec --mode tunnel -j ACCEPT
iptables -t nat -A postrouting_rule -d 10.0.0.0/8 -j ACCEPT
iptables -t nat -A postrouting_rule -d 172.16.0.0/12 -j ACCEPT
iptables -t nat -A postrouting_rule -d 192.168.0.0/16 -j ACCEPT
#iptables -A output_rule -p 47 -j ACCEPT
#iptables -A input_rule -p 47 -j ACCEPT
#iptables -t nat -A prerouting_rule -p tcp --dport 8888 -j DNAT --to ${LANIP%.*}.251:80
#iptables -A forwarding_rule -p tcp --dport 80 -d $WANIP -j ACCEPT
#iptables -t nat -A prerouting_rule -p tcp --dport 2222 -j DNAT --to $WANIP:22
#iptables -A forwarding_rule -p tcp --dport 22 -d $WANIP -j ACCEPT
# iptables -t nat -A prerouting_rule -j DNAT --to ${LANIP%.*}.170
# iptables -A forwarding_rule -d ${LANIP%.*}.170 -j ACCEPT
iptables -t nat -A prerouting_rule -i $LAN -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A prerouting_rule -p tcp --dport 2020 -m state --state NEW \
-m recent --name ATTACKER_SSH --rsource --update --seconds 120 --hitcount 5 -j DROP
iptables -t nat -A prerouting_rule -p tcp --dport 2020 -m state --state NEW \
-m recent --name ATTACKER_SSH --rsource --set
iptables -t nat -A prerouting_rule -p tcp --dport 2020 -j ACCEPT
iptables -A input_rule -p tcp --dport 2020 -j ACCEPT
#iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 81 -j DNAT --to-destination ${LANIP%.*}.251
#iptables -A forwarding_rule -i $WAN -p tcp --dport 81 -d ${LANIP%.*}.251 -j ACCEPT
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 2080 -j DNAT --to-destination ${LANIP%.*}.250
iptables -A forwarding_rule -i $WAN -p tcp --dport 2080 -d ${LANIP%.*}.250 -j ACCEPT
# iptables -A forwarding_rule -p TCP -i $LAN -s ${LANIP%.*}.5 -j ACCEPT
# iptables -A forwarding_rule -p UDP -i $LAN -s ${LANIP%.*}.5 -j ACCEPT
iptables -A forwarding_rule -p TCP -i $LAN -s ${LANIP%.*}.247 -m multiport --dport 21,80,3128,2000 -j ACCEPT
iptables -A forwarding_rule -p UDP -i $LAN -s ${LANIP%.*}.200 --dport 9999 -j ACCEPT
# iptables -A forwarding_rule -p TCP -i $LAN -m iprange --src-range ${LANIP%.*}.11-${LANIP%.*}.254 -j ACCEPT
iptables -A forwarding_rule -p TCP -i $LAN -m iprange --src-range ${LANIP%.*}.2-${LANIP%.*}.10 -m multiport --dport 21,22,53,80,443,1433,3128,3579,3580,8000,8765,9865 -j ACCEPT
iptables -A forwarding_rule -p UDP -i $LAN -m iprange --src-range ${LANIP%.*}.2-${LANIP%.*}.10 -m multiport --dport 53 -j ACCEPT
### Blocking IP's so most popular instant messengers programs will not work
if [ -f /etc/blockips.txt ]; then
while read BLOCK_IPS JUNK; do # may not need JUNK, but it doesn't hurt
iptables -I forwarding_rule -d $BLOCK_IPS -i $LAN -m iprange --src-range ${LANIP%.*}.2-${LANIP%.*}.10 -j DROP
done < "/etc/blockips.txt"
fi
if [ -f /etc/mac.txt ]; then
while read MAC JUNK; do # may not need JUNK, but it doesn't hurt
iptables -A forwarding_rule -p TCP -i $LAN -m mac --mac-source $MAC -j ACCEPT
iptables -A forwarding_rule -p UDP -i $LAN -m mac --mac-source $MAC -j ACCEPT
done < "/etc/mac.txt"
fi
### Drop all outbound ports by default
iptables -A forwarding_rule -j DROP
[-- Attachment #4: iptables-save --]
[-- Type: text/plain, Size: 4907 bytes --]
# Generated by iptables-save v1.4.3.2 on Sat May 2 03:38:55 2009
*nat
:PREROUTING ACCEPT [4:771]
:POSTROUTING ACCEPT [38:2729]
:OUTPUT ACCEPT [41:2981]
:NEW - [0:0]
:postrouting_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan - [0:0]
-A PREROUTING -p tcp -m state --state NEW -j NEW
-A PREROUTING -j prerouting_rule
-A PREROUTING -i eth0.1 -j prerouting_wan
-A POSTROUTING -j postrouting_rule
-A POSTROUTING -s 172.17.17.0/24 -o eth0.1 -j MASQUERADE
-A NEW -m limit --limit 50/sec --limit-burst 100 -j RETURN
-A postrouting_rule -d 10.0.0.0/8 -j ACCEPT
-A postrouting_rule -d 172.16.0.0/12 -j ACCEPT
-A postrouting_rule -d 192.168.0.0/16 -j ACCEPT
-A prerouting_rule -i br-lan -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A prerouting_rule -p tcp -m tcp --dport 2020 -m state --state NEW -m recent --set --name ATTACKER_SSH --rsource
-A prerouting_rule -p tcp -m tcp --dport 2020 -j ACCEPT
-A prerouting_rule -i eth0.1 -p tcp -m tcp --dport 2080 -j DNAT --to-destination 172.17.17.250
COMMIT
# Completed on Sat May 2 03:38:55 2009
# Generated by iptables-save v1.4.3.2 on Sat May 2 03:38:55 2009
*raw
:PREROUTING ACCEPT [370:31230]
:OUTPUT ACCEPT [326:44408]
COMMIT
# Completed on Sat May 2 03:38:55 2009
# Generated by iptables-save v1.4.3.2 on Sat May 2 03:38:55 2009
*mangle
:PREROUTING ACCEPT [376:31470]
:INPUT ACCEPT [369:30660]
:FORWARD ACCEPT [7:810]
:OUTPUT ACCEPT [332:45080]
:POSTROUTING ACCEPT [335:45662]
COMMIT
# Completed on Sat May 2 03:38:55 2009
# Generated by iptables-save v1.4.3.2 on Sat May 2 03:38:55 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LAN_ACCEPT - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan - [0:0]
:input_rule - [0:0]
:input_wan - [0:0]
:output_rule - [0:0]
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-option 2 --tcp-flags SYN SYN -j DROP
-A INPUT -j input_rule
-A INPUT -i eth0.1 -j input_wan
-A INPUT -j LAN_ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j forwarding_rule
-A FORWARD -i eth0.1 -j forwarding_wan
-A FORWARD -i br-lan -o br-lan -j ACCEPT
-A FORWARD -i br-lan -o eth0.1 -j ACCEPT
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j output_rule
-A OUTPUT -j ACCEPT
-A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
-A LAN_ACCEPT -i eth0.1 -j RETURN
-A LAN_ACCEPT -j ACCEPT
-A forwarding_rule -d 63.135.80.0/20 -i br-lan -m iprange --src-range 172.17.17.2-172.17.17.10 -j DROP
-A forwarding_rule -d 1.0.0.0/8 -i br-lan -m iprange --src-range 172.17.17.2-172.17.17.10 -j DROP
-A forwarding_rule -d 205.188.0.0/16 -i br-lan -m iprange --src-range 172.17.17.2-172.17.17.10 -j DROP
-A forwarding_rule -d 74.125.0.0/16 -i br-lan -m iprange --src-range 172.17.17.2-172.17.17.10 -j DROP
-A forwarding_rule -d 69.147.64.0/18 -i br-lan -m iprange --src-range 172.17.17.2-172.17.17.10 -j DROP
-A forwarding_rule -d 207.68.192.0/20 -i br-lan -m iprange --src-range 172.17.17.2-172.17.17.10 -j DROP
-A forwarding_rule -d 207.68.128.0/18 -i br-lan -m iprange --src-range 172.17.17.2-172.17.17.10 -j DROP
-A forwarding_rule -d 205.188.0.0/16 -i br-lan -m iprange --src-range 172.17.17.2-172.17.17.10 -j DROP
-A forwarding_rule -d 64.12.0.0/16 -i br-lan -m iprange --src-range 172.17.17.2-172.17.17.10 -j DROP
-A forwarding_rule -m policy --dir in --pol ipsec --mode tunnel -j ACCEPT
-A forwarding_rule -m policy --dir out --pol ipsec --mode tunnel -j ACCEPT
-A forwarding_rule -d 172.17.17.250/32 -i eth0.1 -p tcp -m tcp --dport 2080 -j ACCEPT
-A forwarding_rule -s 172.17.17.247/32 -i br-lan -p tcp -m multiport --dports 21,80,3128,2000 -j ACCEPT
-A forwarding_rule -s 172.17.17.200/32 -i br-lan -p udp -m udp --dport 9999 -j ACCEPT
-A forwarding_rule -i br-lan -p tcp -m iprange --src-range 172.17.17.2-172.17.17.10 -m multiport --dports 21,22,53,80,443,1433,3128,3579,3580,8000,8765,9865 -j ACCEPT
-A forwarding_rule -i br-lan -p udp -m iprange --src-range 172.17.17.2-172.17.17.10 -m multiport --dports 53 -j ACCEPT
-A forwarding_rule -i br-lan -p tcp -m mac --mac-source 08:FA:KE:FA:KE:28 -j ACCEPT
-A forwarding_rule -i br-lan -p udp -m mac --mac-source 08:FA:KE:FA:KE:28 -j ACCEPT
-A forwarding_rule -j DROP
-A input_rule -p esp -j ACCEPT
-A input_rule -p udp -m udp --dport 500 -j ACCEPT
-A input_rule -p udp -m udp --dport 4500 -j ACCEPT
-A input_rule -p tcp -m tcp --dport 2020 -j ACCEPT
COMMIT
# Completed on Sat May 2 03:38:55 2009
next reply other threads:[~2009-05-02 8:00 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-02 8:00 Weedy [this message]
2009-05-02 9:13 ` iptables 1.4.x and xt_recent: my rules have fallen and they can't get up! Mart Frauenlob
2009-05-06 17:07 ` Mart Frauenlob
2009-05-05 19:00 ` Weedy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49FBFDB7.4070204@gmail.com \
--to=weedy2887@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.