From: Rakotomandimby Mihamina <rktmb.list@wanadoo.fr>
To: netfilter <netfilter@lists.netfilter.org>
Subject: What modules to load and what order ?
Date: Fri, 25 Jun 2004 09:35:42 +0200 [thread overview]
Message-ID: <40DBD5CE.1010209@wanadoo.fr> (raw)
Hi all,
I have a dedicated server running debian (initially woody, dist-upgraded
to testing)
It runs iptables 1.2.9
I bassically know how to manage it when all the netfilter stuff is
included into the kernel, but i dont know what to do when they're as
modules.
I would be gratefull if you would help me to see what of these modules i
should load, if my rules are what i show at the bottom of this letter.
I really thank any help, i'll be very scared till you answer me because
my server is running without any FWall for the moment....
==========================================================================
[root@localhost]# find /lib/modules/2.4.26-grsec -name '*.o' | grep
netfilter
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/arpt_mangle.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/arp_tables.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/arptable_filter.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ip_tables.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_DSCP.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_ECN.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_LOG.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_MARK.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_REJECT.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_TCPMSS.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_TOS.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_ULOG.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_ah.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_dscp.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_ecn.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_esp.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_length.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_limit.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_mac.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_mark.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_multiport.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_pkttype.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_recent.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_stealth.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_tcpmss.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_tos.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_ttl.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/iptable_filter.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/iptable_mangle.o
/lib/modules/2.4.26-grsec/kernel/net/ipv6/netfilter/ip6_tables.o
=====================================================================
These are my rules :
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -A INPUT -i ppp0 -m unclean -j LOG --log-level debug
--log-prefix 'unclean_: '
iptables -A INPUT -i ppp0 -m unclean -j DROP
iptables -A INPUT -p tcp --syn -m limit --limit 5/s -j ACCEPT
iptables -A INPUT -p tcp --syn -j LOG --log-level debug --log-prefix
'syn-flood_: '
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
--limit 5/s -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j LOG
--log-level debug --log-prefix 'p_scan_: '
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s
-j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j LOG --log-level
debug --log-prefix 'p_o_d: '
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 31 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 2401 -j ACCEPT
iptables -A OUTPUT -p udp --dport 2401 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --syn --dport 113 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --syn --dport 113 -j ACCEPT
iptables -A INPUT -j LOG --log-level debug --log-prefix "droped_input_: "
iptables -A OUTPUT -j LOG --log-level debug --log-prefix "droped_output_: "
====================================================================
--
Rakotomandimby Mihamina Andrianifaharana
Tel : +33 2 38 76 43 65
http://www.rktmb.org/site_principal/Members/mihamina
next reply other threads:[~2004-06-25 7:35 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-06-25 7:35 Rakotomandimby Mihamina [this message]
2004-06-25 14:31 ` What modules to load and what order ? B. McAninch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40DBD5CE.1010209@wanadoo.fr \
--to=rktmb.list@wanadoo.fr \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox