Peral size

July 16, 2014

my iptables conf droping package intranet internet, trough squid3 + dansguardian configuration.

log:

jun 23 14:39:17 tcla2 kernel: [13618.768499] invalid packet: in=eth1 out= mac=00:01:02:84:8d:4c:00:0b:db:67:72:47:08:00 src=192.168.2.5 dst=192.168.2.1 len=40 tos=0x00 prec=0x00 ttl=128 id=2777 df proto=tcp spt=51275 dpt=8080 window=0 res=0x00 rst urgp=0
jun 23 14:39:44 tcla2 kernel: [13644.880528] invalid packet: in=eth1 out= mac=00:01:02:84:8d:4c:00:0b:db:67:72:47:08:00 src=192.168.2.5 dst=192.168.2.1 len=40 tos=0x00 prec=0x00 ttl=128 id=2811 df proto=tcp spt=51275 dpt=8080 window=0 res=0x00 rst urgp=0

iptables script:

sudo iptables-save
# generated iptables-save v1.4.4 on wed jun 23 15:05:24 2010
*filter
:input accept [0:0]
:forward drop [0:0]
:output accept [0:0]
:bad_packets - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_inbound - [0:0]
:tcp_outbound - [0:0]
:udp_inbound - [0:0]
:udp_outbound - [0:0]
-a input -i lo -j accept
-a input -j bad_packets
-a input -d 224.0.0.1/32 -j drop
-a input -s 192.168.2.0/24 -i eth1 -j accept
-a input -d 192.168.2.255/32 -i eth1 -j accept
-a input -i eth1 -p udp -m udp --sport 68 --dport 67 -j accept
-a input -i eth0 -m state --state related,established -j accept
-a input -s 192.168.2.0/24 -i eth1 -p tcp -m tcp --dport 8080 -j accept
-a input -i eth0 -p tcp -j tcp_inbound
-a input -i eth0 -p udp -j udp_inbound
-a input -i eth0 -p icmp -j icmp_packets
-a input -m pkttype --pkt-type broadcast -j drop
-a input -m limit --limit 3/min --limit-burst 3 -j log --log-prefix "input packet died: "
-a forward -j bad_packets
-a forward -i eth1 -p tcp -j tcp_outbound
-a forward -i eth1 -p udp -j udp_outbound
-a forward -i eth1 -j accept
-a forward -i eth0 -m state --state related,established -j accept
-a forward -p tcp -m tcp --sport 1863 -j accept
-a forward -m limit --limit 3/min --limit-burst 3 -j log --log-prefix "forward packet died: "
-a output -p icmp -m state --state invalid -j drop
-a output -s 127.0.0.1/32 -j accept
-a output -o lo -j accept
-a output -s 192.168.2.1/32 -j accept
-a output -o eth1 -j accept
-a output -o eth0 -j accept
-a output -m limit --limit 3/min --limit-burst 3 -j log --log-prefix "output packet died: "
-a bad_packets -s 192.168.2.0/24 -i eth0 -j log --log-prefix "illegal source: "
-a bad_packets -s 192.168.2.0/24 -i eth0 -j drop
-a bad_packets -m state --state invalid -j log --log-prefix "invalid packet: "
-a bad_packets -m state --state invalid -j drop
-a bad_packets -p tcp -j bad_tcp_packets
-a bad_packets -j return
-a bad_tcp_packets -i eth1 -p tcp -j return
-a bad_tcp_packets -p tcp -m tcp ! --tcp-flags fin,syn,rst,ack syn -m state --state new -j log --log-prefix "new not syn: "
-a bad_tcp_packets -p tcp -m tcp ! --tcp-flags fin,syn,rst,ack syn -m state --state new -j drop
-a bad_tcp_packets -p tcp -m tcp --tcp-flags fin,syn,rst,psh,ack,urg none -j log --log-prefix "stealth scan: "
-a bad_tcp_packets -p tcp -m tcp --tcp-flags fin,syn,rst,psh,ack,urg none -j drop
-a bad_tcp_packets -p tcp -m tcp --tcp-flags fin,syn,rst,psh,ack,urg fin,syn,rst,psh,ack,urg -j log --log-prefix "stealth scan: "
-a bad_tcp_packets -p tcp -m tcp --tcp-flags fin,syn,rst,psh,ack,urg fin,syn,rst,psh,ack,urg -j drop
-a bad_tcp_packets -p tcp -m tcp --tcp-flags fin,syn,rst,psh,ack,urg fin,psh,urg -j log --log-prefix "stealth scan: "
-a bad_tcp_packets -p tcp -m tcp --tcp-flags fin,syn,rst,psh,ack,urg fin,psh,urg -j drop
-a bad_tcp_packets -p tcp -m tcp --tcp-flags fin,syn,rst,psh,ack,urg fin,syn,rst,ack,urg -j log --log-prefix "stealth scan: "
-a bad_tcp_packets -p tcp -m tcp --tcp-flags fin,syn,rst,psh,ack,urg fin,syn,rst,ack,urg -j drop
-a bad_tcp_packets -p tcp -m tcp --tcp-flags syn,rst syn,rst -j log --log-prefix "stealth scan: "
-a bad_tcp_packets -p tcp -m tcp --tcp-flags syn,rst syn,rst -j drop
-a bad_tcp_packets -p tcp -m tcp --tcp-flags fin,syn fin,syn -j log --log-prefix "stealth scan: "
-a bad_tcp_packets -p tcp -m tcp --tcp-flags fin,syn fin,syn -j drop
-a bad_tcp_packets -p tcp -j return
-a icmp_packets -p icmp -f -j log --log-prefix "icmp fragment: "
-a icmp_packets -p icmp -f -j drop
-a icmp_packets -p icmp -m icmp --icmp-type 8 -j drop
-a icmp_packets -p icmp -m icmp --icmp-type 11 -j accept
-a icmp_packets -p icmp -j return
-a tcp_inbound -p tcp -m tcp --dport 51413 -j accept
-a tcp_inbound -p tcp -m tcp --dport 80 -j accept
-a tcp_inbound -p tcp -m tcp --dport 443 -j accept
-a tcp_inbound -p tcp -m tcp --dport 22 -j accept
-a tcp_inbound -p tcp -m tcp --dport 6891:6900 -j accept
-a tcp_inbound -p tcp -m tcp --dport 111 -j accept
-a tcp_inbound -p tcp -m tcp --dport 9400 -j accept
-a tcp_inbound -p tcp -m tcp --dport 2049 -j accept
-a tcp_inbound -p tcp -m tcp --dport 9401 -j accept
-a tcp_inbound -p tcp -m tcp --dport 9402 -j accept
-a tcp_inbound -p tcp -m tcp --dport 9403 -j accept
-a tcp_inbound -p tcp -m tcp --dport 2222:10000 -j accept
-a tcp_inbound -p tcp -m tcp --dport 631 -j accept
-a tcp_inbound -p tcp -j return
-a tcp_outbound -p tcp -j accept
-a udp_inbound -p udp -m udp --dport 137 -j drop
-a udp_inbound -p udp -m udp --dport 138 -j drop
-a udp_inbound -p udp -m udp --dport 123 -j accept
-a udp_inbound -p udp -m udp --dport 53 -j accept
-a udp_inbound -p udp -m udp --dport 5353 -j accept
-a udp_inbound -p udp -m udp --dport 111 -j accept
-a udp_inbound -p udp -m udp --dport 9400 -j accept
-a udp_inbound -p udp -m udp --dport 2049 -j accept
-a udp_inbound -p udp -m udp --dport 9401 -j accept
-a udp_inbound -p udp -m udp --dport 9402 -j accept
-a udp_inbound -p udp -m udp --dport 9403 -j accept
-a udp_inbound -p udp -m udp --dport 2222:10000 -j accept
-a udp_inbound -p udp -j return
-a udp_outbound -p udp -j accept
commit
# completed on wed jun 23 15:05:24 2010
# generated iptables-save v1.4.4 on wed jun 23 15:05:24 2010
*mangle
rerouting accept [1087894:251735380]
:input accept [1086564:251616593]
:forward accept [0:0]
:output accept [344984:2270354335]
ostrouting accept [345256:2270407549]
commit
# completed on wed jun 23 15:05:24 2010
# generated iptables-save v1.4.4 on wed jun 23 15:05:24 2010
*nat
rerouting accept [1412:127511]
ostrouting accept [382:32952]
:output accept [1531:112812]
-a prerouting -s 192.168.2.0/24 ! -d 192.168.2.0/24 -i eth1 -p tcp -m tcp --dport 80 -j redirect --to-ports 8080
-a postrouting -o eth0 -j snat --to-source 192.168.1.2
commit
# completed on wed jun 23 15:05:24 2010

try simple tcp/udp rules, without following:

-a output -m limit --limit 3/min --limit-burst 3 -j log --log-prefix "output packet died: "
-a bad_packets -s 192.168.2.0/24 -i eth0 -j log --log-prefix "illegal source: "
-a bad_packets -s 192.168.2.0/24 -i eth0 -j drop
-a bad_packets -m state --state invalid -j log --log-prefix "invalid packet: "
-a bad_packets -m state --state invalid -j drop
-a bad_packets -p tcp -j bad_tcp_packets
-a bad_packets -j return
-a bad_tcp_packets -i eth1 -p tcp -j return
-a bad_tcp_packets -p tcp -m tcp ! --tcp-flags fin,syn,rst,ack syn -m state --state new -j log --log-prefix "new not syn: "
-a bad_tcp_packets -p tcp -m tcp ! --tcp-flags fin,syn,rst,ack syn -m state --state new -j drop
-a bad_tcp_packets -p tcp -m tcp --tcp-flags fin,syn,rst,psh,ack,urg none -j log --log-prefix "stealth scan: "
-a bad_tcp_packets -p tcp -m tcp --tcp-flags fin,syn,rst,psh,ack,urg none -j drop
-a bad_tcp_packets -p tcp -m tcp --tcp-flags fin,syn,rst,psh,ack,urg fin,syn,rst,psh,ack,urg -j log --log-prefix "stealth scan: "
-a bad_tcp_packets -p tcp -m tcp --tcp-flags fin,syn,rst,psh,ack,urg fin,syn,rst,psh,ack,urg -j drop
-a bad_tcp_packets -p tcp -m tcp --tcp-flags fin,syn,rst,psh,ack,urg fin,psh,urg -j log --log-prefix "stealth scan: "
-a bad_tcp_packets -p tcp -m tcp --tcp-flags fin,syn,rst,psh,ack,urg fin,psh,urg -j drop
-a bad_tcp_packets -p tcp -m tcp --tcp-flags fin,syn,rst,psh,ack,urg fin,syn,rst,ack,urg -j log --log-prefix "stealth scan: "
-a bad_tcp_packets -p tcp -m tcp --tcp-flags fin,syn,rst,psh,ack,urg fin,syn,rst,ack,urg -j drop
-a bad_tcp_packets -p tcp -m tcp --tcp-flags syn,rst syn,rst -j log --log-prefix "stealth scan: "
-a bad_tcp_packets -p tcp -m tcp --tcp-flags syn,rst syn,rst -j drop
-a bad_tcp_packets -p tcp -m tcp --tcp-flags fin,syn fin,syn -j log --log-prefix "stealth scan: "
-a bad_tcp_packets -p tcp -m tcp --tcp-flags fin,syn fin,syn -j drop
-a bad_tcp_packets -p tcp -j return
-a icmp_packets -p icmp -f -j log --log-prefix "icmp fragment: "
-a icmp_packets -p icmp -f -j drop
-a icmp_packets -p icmp -m icmp --icmp-type 8 -j drop
-a icmp_packets -p icmp -m icmp --icmp-type 11 -j accept
-a icmp_packets -p icmp -j return

and check log again.

Forum The Ubuntu Forum Community Ubuntu Specialised Support Ubuntu Servers, Cloud and Juju Server Platforms [ubuntu] Iptables drop good package

Ubuntu

Search This Blog

Peral size

Thread: Iptables drop good package

Comments

Post a Comment

Popular posts from this blog

Joomla site hacked, cant see front and - Joomla! Forum - community, help and support

Christian Home School Programs - Joomla! Forum - community, help and support

Trouble with PF_OutFlag_I_USE_AUDIO and PF_CHECKOUT_LAYER_AUDIO