iptables
Jason Clinton
me at jasonclinton.com
Mon Oct 13 01:59:21 CDT 2003
--=-HPGxyWFe694uQyAhW+l0
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Sun, 2003-10-12 at 19:42, Bill Cavalieri wrote:
> This is my iptables filter:
>=20
> ACCEPT tcp -- anywhere anywhere tcp=20
...
Here is mine; see if you can figure out how I cheated to create this.
Chain INPUT (policy DROP)
target prot opt source destination
INETIN all -- anywhere anywhere
ACCEPT all -- 192.168.0.0/24 anywhere
ACCEPT all -- 192.168.1.0/24 anywhere
ACCEPT all -- anywhere anywhere
=20
Chain FORWARD (policy DROP)
target prot opt source destination
INETIN all -- anywhere anywhere
INETOUT all -- anywhere anywhere
ACCEPT all -- 192.168.0.0/24 anywhere
ACCEPT all -- 192.168.1.0/24 anywhere
=20
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
INETOUT all -- anywhere anywhere
=20
Chain DMZIN (0 references)
target prot opt source destination
=20
Chain DMZOUT (0 references)
target prot opt source destination
=20
Chain INETIN (2 references)
target prot opt source destination
DROP all -- anywhere anywhere state
INVALID
DROP icmp -- anywhere anywhere icmp
redirect
DROP icmp -- anywhere anywhere icmp
router-advertisement
DROP icmp -- anywhere anywhere icmp
router-solicitation
DROP icmp -- anywhere anywhere icmp type 15
DROP icmp -- anywhere anywhere icmp type 16
DROP icmp -- anywhere anywhere icmp
address-mask-request
DROP icmp -- anywhere anywhere icmp
address-mask-reply
ACCEPT icmp -- anywhere anywhere icmp
echo-request limit: avg 1/sec burst 5
DROP icmp -- anywhere anywhere icmp
echo-request
ACCEPT icmp -- anywhere anywhere icmp
!echo-request
TCPACCEPT tcp -- anywhere anywhere tcp dpt:ssh
TCPACCEPT tcp -- anywhere anywhere tcp dpt:6112
UDPACCEPT udp -- anywhere anywhere udp
dpt:bootpc
UDPACCEPT udp -- anywhere anywhere udp dpt:6112
UDPACCEPT udp -- anywhere anywhere udp dpt:6119
UDPACCEPT udp -- anywhere anywhere udp dpt:4000
ACCEPT all -- anywhere anywhere state
ESTABLISHED
TCPACCEPT tcp -- anywhere anywhere tcp
dpts:1024:65535 state RELATED
UDPACCEPT udp -- anywhere anywhere udp
dpts:1024:65535 state RELATED
DROP all -- anywhere anywhere
=20
Chain INETOUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
=20
Chain LDROP (0 references)
target prot opt source destination
LOG tcp -- anywhere anywhere limit: avg
2/sec burst 5 LOG level info prefix `TCP Dropped '
LOG udp -- anywhere anywhere limit: avg
2/sec burst 5 LOG level info prefix `UDP Dropped '
LOG icmp -- anywhere anywhere limit: avg
2/sec burst 5 LOG level info prefix `ICMP Dropped '
LOG all -f anywhere anywhere limit: avg
2/sec burst 5 LOG level warning prefix `FRAGMENT Dropped '
DROP all -- anywhere anywhere
=20
Chain LREJECT (0 references)
target prot opt source destination
LOG tcp -- anywhere anywhere limit: avg
2/sec burst 5 LOG level info prefix `TCP Rejected '
LOG udp -- anywhere anywhere limit: avg
2/sec burst 5 LOG level info prefix `UDP Rejected '
LOG icmp -- anywhere anywhere limit: avg
2/sec burst 5 LOG level info prefix `ICMP Rejected '
LOG all -f anywhere anywhere limit: avg
2/sec burst 5 LOG level warning prefix `FRAGMENT Rejected '
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
=20
Chain LTREJECT (0 references)
target prot opt source destination
LOG tcp -- anywhere anywhere limit: avg
2/sec burst 5 LOG level info prefix `TCP Rejected '
LOG udp -- anywhere anywhere limit: avg
2/sec burst 5 LOG level info prefix `UDP Rejected '
LOG icmp -- anywhere anywhere limit: avg
2/sec burst 5 LOG level info prefix `ICMP Rejected '
LOG all -f anywhere anywhere limit: avg
2/sec burst 5 LOG level warning prefix `FRAGMENT Rejected '
REJECT tcp -- anywhere anywhere reject-with
tcp-reset
REJECT udp -- anywhere anywhere reject-with
icmp-port-unreachable
DROP icmp -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
=20
Chain TCPACCEPT (3 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp
flags:SYN,RST,ACK/SYN limit: avg 20/sec burst 5
LOG tcp -- anywhere anywhere tcp
flags:SYN,RST,ACK/SYN limit: avg 2/sec burst 5 LOG level warning prefix
`Possible SynFlood '
DROP tcp -- anywhere anywhere tcp
flags:SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp
flags:!SYN,RST,ACK/SYN
LOG all -- anywhere anywhere limit: avg
2/sec burst 5 LOG level warning prefix `Mismatch in TCPACCEPT '
DROP all -- anywhere anywhere
=20
Chain TREJECT (0 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with
tcp-reset
REJECT udp -- anywhere anywhere reject-with
icmp-port-unreachable
DROP icmp -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
=20
Chain UDPACCEPT (5 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg
2/sec burst 5 LOG level warning prefix `Mismatch on UDPACCEPT '
DROP all -- anywhere anywhere
=20
Chain ULDROP (0 references)
target prot opt source destination
ULOG tcp -- anywhere anywhere limit: avg
2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LDROP_TCP'
queue_threshold 1
ULOG udp -- anywhere anywhere limit: avg
2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LDROP_UDP'
queue_threshold 1
ULOG icmp -- anywhere anywhere limit: avg
2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LDROP_ICMP'
queue_threshold 1
ULOG all -f anywhere anywhere limit: avg
2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LDROP_FRAG'
queue_threshold 1
DROP all -- anywhere anywhere
=20
Chain ULREJECT (0 references)
target prot opt source destination
ULOG tcp -- anywhere anywhere limit: avg
2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LREJECT_TCP'
queue_threshold 1
ULOG udp -- anywhere anywhere limit: avg
2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LREJECT_UDP'
queue_threshold 1
ULOG icmp -- anywhere anywhere limit: avg
2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LREJECT_UDP'
queue_threshold 1
ULOG all -f anywhere anywhere limit: avg
2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LREJECT_FRAG'
queue_threshold 1
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
=20
Chain ULTREJECT (0 references)
target prot opt source destination
ULOG tcp -- anywhere anywhere limit: avg
2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LTREJECT_TCP'
queue_threshold 1
ULOG udp -- anywhere anywhere limit: avg
2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LTREJECT_UDP'
queue_threshold 1
ULOG icmp -- anywhere anywhere limit: avg
2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LTREJECT_ICMP'
queue_threshold 1
ULOG all -f anywhere anywhere limit: avg
2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LTREJECT_FRAG'
queue_threshold 1
REJECT tcp -- anywhere anywhere reject-with
tcp-reset
REJECT udp -- anywhere anywhere reject-with
icmp-port-unreachable
DROP icmp -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
--=-HPGxyWFe694uQyAhW+l0
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; CHARSET=3DUTF-8">
<META NAME=3D"GENERATOR" CONTENT=3D"GtkHTML/3.0.9">
</HEAD>
<BODY>
On Sun, 2003-10-12 at 19:42, Bill Cavalieri wrote:
<BLOCKQUOTE TYPE=3DCITE>
<PRE><FONT COLOR=3D"#737373"><I>This is my iptables filter:
ACCEPT tcp -- anywhere anywhere tcp </I></FONT>=
</PRE>
</BLOCKQUOTE>
...<BR>
<BR>
Here is mine; see if you can figure out how I cheated to create this.<BR>
<BR>
<TT>Chain INPUT (policy DROP)<BR>
target prot opt source  =
; destination<BR>
INETIN all -- anywhere  =
; anywhere<BR>
ACCEPT all -- 192.168.0.0/24  =
; anywhere<BR>
ACCEPT all -- 192.168.1.0/24  =
; anywhere<BR>
ACCEPT all -- anywhere  =
; anywhere<BR>
<BR>
Chain FORWARD (policy DROP)<BR>
target prot opt source  =
; destination<BR>
INETIN all -- anywhere  =
; anywhere<BR>
INETOUT all -- anywhere &nbs=
p; anywhere<BR>
ACCEPT all -- 192.168.0.0/24  =
; anywhere<BR>
ACCEPT all -- 192.168.1.0/24  =
; anywhere<BR>
<BR>
Chain OUTPUT (policy ACCEPT)<BR>
target prot opt source  =
; destination<BR>
INETOUT all -- anywhere &nbs=
p; anywhere<BR>
<BR>
Chain DMZIN (0 references)<BR>
target prot opt source  =
; destination<BR>
<BR>
Chain DMZOUT (0 references)<BR>
target prot opt source  =
; destination<BR>
<BR>
Chain INETIN (2 references)<BR>
target prot opt source  =
; destination<BR>
DROP all -- anywhere &=
nbsp; anywhere&=
nbsp; state INVALID<B=
R>
DROP icmp -- anywhere =
anywhere =
icmp redirect<BR>
DROP icmp -- anywhere =
anywhere =
icmp router-advertis=
ement<BR>
DROP icmp -- anywhere =
anywhere =
icmp router-solicita=
tion<BR>
DROP icmp -- anywhere =
anywhere =
icmp type 15<BR>
DROP icmp -- anywhere =
anywhere =
icmp type 16<BR>
DROP icmp -- anywhere =
anywhere =
icmp address-mask-re=
quest<BR>
DROP icmp -- anywhere =
anywhere =
icmp address-mask-re=
ply<BR>
ACCEPT icmp -- anywhere &nbs=
p; anywhere &nbs=
p; icmp echo-request limit: avg 1=
/sec burst 5<BR>
DROP icmp -- anywhere =
anywhere =
icmp echo-request<BR=
>
ACCEPT icmp -- anywhere &nbs=
p; anywhere &nbs=
p; icmp !echo-request<BR>
TCPACCEPT tcp -- anywhere &n=
bsp; anywhere &n=
bsp; tcp dpt:ssh<BR>
TCPACCEPT tcp -- anywhere &n=
bsp; anywhere &n=
bsp; tcp dpt:6112<BR>
UDPACCEPT udp -- anywhere &n=
bsp; anywhere &n=
bsp; udp dpt:bootpc<BR>
UDPACCEPT udp -- anywhere &n=
bsp; anywhere &n=
bsp; udp dpt:6112<BR>
UDPACCEPT udp -- anywhere &n=
bsp; anywhere &n=
bsp; udp dpt:6119<BR>
UDPACCEPT udp -- anywhere &n=
bsp; anywhere &n=
bsp; udp dpt:4000<BR>
ACCEPT all -- anywhere  =
; anywhere  =
; state ESTABLISHED<BR>
TCPACCEPT tcp -- anywhere &n=
bsp; anywhere &n=
bsp; tcp dpts:1024:65535 state RELATED<BR>
UDPACCEPT udp -- anywhere &n=
bsp; anywhere &n=
bsp; udp dpts:1024:65535 state RELATED<BR>
DROP all -- anywhere &=
nbsp; anywhere<=
BR>
<BR>
Chain INETOUT (2 references)<BR>
target prot opt source  =
; destination<BR>
ACCEPT all -- anywhere  =
; anywhere<BR>
<BR>
Chain LDROP (0 references)<BR>
target prot opt source  =
; destination<BR>
LOG tcp -- anywhere&n=
bsp; anyw=
here limit: avg=
2/sec burst 5 LOG level info prefix `TCP Dropped '<BR>
LOG udp -- anywhere&n=
bsp; anyw=
here limit: avg=
2/sec burst 5 LOG level info prefix `UDP Dropped '<BR>
LOG icmp -- anywhere &=
nbsp; anywhere&=
nbsp; limit: avg 2/se=
c burst 5 LOG level info prefix `ICMP Dropped '<BR>
LOG all -f anywhere&n=
bsp; anyw=
here limit: avg=
2/sec burst 5 LOG level warning prefix `FRAGMENT Dropped '<BR>
DROP all -- anywhere &=
nbsp; anywhere<=
BR>
<BR>
Chain LREJECT (0 references)<BR>
target prot opt source  =
; destination<BR>
LOG tcp -- anywhere&n=
bsp; anyw=
here limit: avg=
2/sec burst 5 LOG level info prefix `TCP Rejected '<BR>
LOG udp -- anywhere&n=
bsp; anyw=
here limit: avg=
2/sec burst 5 LOG level info prefix `UDP Rejected '<BR>
LOG icmp -- anywhere &=
nbsp; anywhere&=
nbsp; limit: avg 2/se=
c burst 5 LOG level info prefix `ICMP Rejected '<BR>
LOG all -f anywhere&n=
bsp; anyw=
here limit: avg=
2/sec burst 5 LOG level warning prefix `FRAGMENT Rejected '<BR>
REJECT all -- anywhere  =
; anywhere  =
; reject-with icmp-port-unr=
eachable<BR>
<BR>
Chain LTREJECT (0 references)<BR>
target prot opt source  =
; destination<BR>
LOG tcp -- anywhere&n=
bsp; anyw=
here limit: avg=
2/sec burst 5 LOG level info prefix `TCP Rejected '<BR>
LOG udp -- anywhere&n=
bsp; anyw=
here limit: avg=
2/sec burst 5 LOG level info prefix `UDP Rejected '<BR>
LOG icmp -- anywhere &=
nbsp; anywhere&=
nbsp; limit: avg 2/se=
c burst 5 LOG level info prefix `ICMP Rejected '<BR>
LOG all -f anywhere&n=
bsp; anyw=
here limit: avg=
2/sec burst 5 LOG level warning prefix `FRAGMENT Rejected '<BR>
REJECT tcp -- anywhere  =
; anywhere  =
; reject-with tcp-reset<BR>
REJECT udp -- anywhere  =
; anywhere  =
; reject-with icmp-port-unr=
eachable<BR>
DROP icmp -- anywhere =
anywhere<BR>
REJECT all -- anywhere  =
; anywhere  =
; reject-with icmp-port-unr=
eachable<BR>
<BR>
Chain TCPACCEPT (3 references)<BR>
target prot opt source  =
; destination<BR>
ACCEPT tcp -- anywhere  =
; anywhere  =
; tcp flags:SYN,RST,ACK/SYN=
limit: avg 20/sec burst 5<BR>
LOG tcp -- anywhere&n=
bsp; anyw=
here tcp flags:=
SYN,RST,ACK/SYN limit: avg 2/sec burst 5 LOG level warning prefix `Possible=
SynFlood '<BR>
DROP tcp -- anywhere &=
nbsp; anywhere&=
nbsp; tcp flags:SYN,R=
ST,ACK/SYN<BR>
ACCEPT tcp -- anywhere  =
; anywhere  =
; tcp flags:!SYN,RST,ACK/SY=
N<BR>
LOG all -- anywhere&n=
bsp; anyw=
here limit: avg=
2/sec burst 5 LOG level warning prefix `Mismatch in TCPACCEPT '<BR>
DROP all -- anywhere &=
nbsp; anywhere<=
BR>
<BR>
Chain TREJECT (0 references)<BR>
target prot opt source  =
; destination<BR>
REJECT tcp -- anywhere  =
; anywhere  =
; reject-with tcp-reset<BR>
REJECT udp -- anywhere  =
; anywhere  =
; reject-with icmp-port-unr=
eachable<BR>
DROP icmp -- anywhere =
anywhere<BR>
REJECT all -- anywhere  =
; anywhere  =
; reject-with icmp-port-unr=
eachable<BR>
<BR>
Chain UDPACCEPT (5 references)<BR>
target prot opt source  =
; destination<BR>
ACCEPT udp -- anywhere  =
; anywhere<BR>
LOG all -- anywhere&n=
bsp; anyw=
here limit: avg=
2/sec burst 5 LOG level warning prefix `Mismatch on UDPACCEPT '<BR>
DROP all -- anywhere &=
nbsp; anywhere<=
BR>
<BR>
Chain ULDROP (0 references)<BR>
target prot opt source  =
; destination<BR>
ULOG tcp -- anywhere &=
nbsp; anywhere&=
nbsp; limit: avg 2/se=
c burst 5 ULOG copy_range 0 nlgroup 1 prefix `LDROP_TCP' queue_threshold 1<=
BR>
ULOG udp -- anywhere &=
nbsp; anywhere&=
nbsp; limit: avg 2/se=
c burst 5 ULOG copy_range 0 nlgroup 1 prefix `LDROP_UDP' queue_threshold 1<=
BR>
ULOG icmp -- anywhere =
anywhere =
limit: avg 2/sec bur=
st 5 ULOG copy_range 0 nlgroup 1 prefix `LDROP_ICMP' queue_threshold 1<BR>
ULOG all -f anywhere &=
nbsp; anywhere&=
nbsp; limit: avg 2/se=
c burst 5 ULOG copy_range 0 nlgroup 1 prefix `LDROP_FRAG' queue_threshold 1=
<BR>
DROP all -- anywhere &=
nbsp; anywhere<=
BR>
<BR>
Chain ULREJECT (0 references)<BR>
target prot opt source  =
; destination<BR>
ULOG tcp -- anywhere &=
nbsp; anywhere&=
nbsp; limit: avg 2/se=
c burst 5 ULOG copy_range 0 nlgroup 1 prefix `LREJECT_TCP' queue_threshold =
1<BR>
ULOG udp -- anywhere &=
nbsp; anywhere&=
nbsp; limit: avg 2/se=
c burst 5 ULOG copy_range 0 nlgroup 1 prefix `LREJECT_UDP' queue_threshold =
1<BR>
ULOG icmp -- anywhere =
anywhere =
limit: avg 2/sec bur=
st 5 ULOG copy_range 0 nlgroup 1 prefix `LREJECT_UDP' queue_threshold 1<BR>
ULOG all -f anywhere &=
nbsp; anywhere&=
nbsp; limit: avg 2/se=
c burst 5 ULOG copy_range 0 nlgroup 1 prefix `LREJECT_FRAG' queue_threshold=
1<BR>
REJECT all -- anywhere  =
; anywhere  =
; reject-with icmp-port-unr=
eachable<BR>
<BR>
Chain ULTREJECT (0 references)<BR>
target prot opt source  =
; destination<BR>
ULOG tcp -- anywhere &=
nbsp; anywhere&=
nbsp; limit: avg 2/se=
c burst 5 ULOG copy_range 0 nlgroup 1 prefix `LTREJECT_TCP' queue_threshold=
1<BR>
ULOG udp -- anywhere &=
nbsp; anywhere&=
nbsp; limit: avg 2/se=
c burst 5 ULOG copy_range 0 nlgroup 1 prefix `LTREJECT_UDP' queue_threshold=
1<BR>
ULOG icmp -- anywhere =
anywhere =
limit: avg 2/sec bur=
st 5 ULOG copy_range 0 nlgroup 1 prefix `LTREJECT_ICMP' queue_threshold 1<B=
R>
ULOG all -f anywhere &=
nbsp; anywhere&=
nbsp; limit: avg 2/se=
c burst 5 ULOG copy_range 0 nlgroup 1 prefix `LTREJECT_FRAG' queue_threshol=
d 1<BR>
REJECT tcp -- anywhere  =
; anywhere  =
; reject-with tcp-reset<BR>
REJECT udp -- anywhere  =
; anywhere  =
; reject-with icmp-port-unr=
eachable<BR>
DROP icmp -- anywhere =
anywhere<BR>
REJECT all -- anywhere  =
; anywhere  =
; reject-with icmp-port-unr=
eachable</TT>
</BODY>
</HTML>
--=-HPGxyWFe694uQyAhW+l0--
More information about the Kclug
mailing list