Firewall Wizards mailing list archives
Re: iptables problem forwarding
From: Marco Thorbruegge <thorbruegge () cert dfn de>
Date: Tue, 1 Apr 2003 09:34:59 +0200
-----BEGIN PGP SIGNED MESSAGE-----
iptables -t nat --flush
You do this twice. Why?
#enable connection tracking iptables -I FORWARD -m state --state INVALID -j DROP iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
Looks good. Why do you not put the same for INPUT and OUTPUT here?
#allowing one service on this machine ssh iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT
Whats that? Why UDP? Delete the second rule. And put a "-m state --state NEW" into the first one.
iptables -A INPUT -p tcp -i eth1 --dport 22-j ACCEPT iptables -A INPUT -p tcp -i eth1 --dport 22 -j ACCEPT
same here. [...]
# accept established connections iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
You need the same thing for OUTPUT.
iptables -A FORWARD -i eth0 -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "new no-SYN: "
Put that somewhere at the beginning. Same thing for INPUT and OUTPUT (yes, OUTPUT too!).
iptables -A FORWARD -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
You can put -j LOG and -j DROP into one rule. Or create a dedicated chain for logging and dropping.
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ACK ACK -m state --state NEW -j LOG --log-prefix "New ACK: "
No Packet will match that rule. It will be matched by the 2 rules before.
#enforcing TCP standards iptables -A INPUT -p tcp --tcp-option \! 2 -j LOG --log-tcp-options --log-prefix "TCP standards not met: " iptables -A INPUT -p tcp --tcp-option \! 2 -j REJECT --reject-with tcp-reset iptables -A INPUT -p tcp -j LOG -m limit --limit 500/hour --limit-burst 500 --log-prefix "MIRROR: " iptables -A INPUT -p tcp -j MIRROR -m limit --limit 500/hour --limit-burst 500
I can not see the point in that ones. BTW: MIRROR is evil.
iptables -t nat -F iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source x.x.x.x iptables -P INPUT DROP
I thought you want to make DNAT!? HTH (a little), Marco - -- Marco Thorbruegge | mailto:thorbruegge () cert dfn de DFN-CERT GmbH | http://www.cert.dfn.de/team/matho/ Heidenkampsweg 41 | Phone: +49(40)808077-555 D-20097 Hamburg/Germany | FAX: +49(40)808077-556 PGP-Key: 0xAE662425 Fingerpr.: 7E5C A77A F91D 63D1 02AB 9526 53FF F1A0 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (SunOS) iQEVAwUBPolBKXsh3gGuZiQlAQG3ygf+JQ02FY+Ca9DfU6iLWWU6Bk3EjVukFqVS S2YvuxKkgrJ+kuAuNWAMQTw67aLk5ddSRl9mQothrzErSzmU7SC0kG/epx7JmLfb 5jyXFbqN52eEI09Uf61GkdQGqzMQomW7oL7saeoDMqHacJc5/Tw/eu24ktfg8KxV c2zD7Id1Sth/tUs8NvUB7uhpzN7f0dKIiOjGnEvl+4ThZ0Q7EzbYdQtU2GC0yMGH 4YLE07oG6pZTvW6/fjNh6rpOUb6dceGn/i2msBO3FmM3rBh3PiipxiSfkKzMLOLw Sio7nmkZFEz6c3csm95Tro53dPsM+Ktj/H/Z/9l8gjIOfgilKN7eMQ== =90FZ -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: iptables problem forwarding Josh Welch (Apr 01)
- <Possible follow-ups>
- Re: iptables problem forwarding Marco Thorbruegge (Apr 01)
- Re: iptables problem forwarding Luca Berra (Apr 01)