Re: Problem with iptables

To: debian-user@lists.debian.org
Cc: debian-user@lists.debian.org
Subject: Re: Problem with iptables
From: Pierguido <pierg75@yahoo.it>
Date: Fri, 04 May 2007 11:57:39 +0200
Message-id: <[🔎] 463B0393.6020106@yahoo.it>
In-reply-to: <[🔎] 463B02F9.1070409@yahoo.it>
References: <[🔎] 4639D4F8.8050604@yahoo.it> <[🔎] 20070503151043.GE23060@einstein.jorgensen.org.uk> <[🔎] 463AE482.1000903@yahoo.it> <[🔎] op.trsmabhq4oyyg1@localhost.localdomain> <[🔎] 463B02F9.1070409@yahoo.it>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pierguido wrote:
[...]
> difficult...is there a tool to show in realtime the status of the counter?

Sorry...here the output of iptables-save

Pier
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGOwOG0EvuLV/O0yoRAolVAKCEzhUn7dCeFMwXtan2kaSoQb2KHACg02vM
fnU8cLsYTxw11LPWulHW0B4=
=LLgW
-----END PGP SIGNATURE-----

# Generated by iptables-save v1.3.6 on Fri May  4 11:56:26 2007
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:in_lan - [0:0]
:in_lan_all_c7 - [0:0]
:in_lan_dns_s1 - [0:0]
:in_lan_ftp_c9 - [0:0]
:in_lan_ftp_s6 - [0:0]
:in_lan_http_s2 - [0:0]
:in_lan_https_s3 - [0:0]
:in_lan_icmp_s5 - [0:0]
:in_lan_irc_c8 - [0:0]
:in_lan_ssh_s4 - [0:0]
:in_public_lan_124 - [0:0]
:in_public_lan_124_all_c6 - [0:0]
:in_public_lan_124_dns_s1 - [0:0]
:in_public_lan_124_ftp_c8 - [0:0]
:in_public_lan_124_ftp_s5 - [0:0]
:in_public_lan_124_http_s3 - [0:0]
:in_public_lan_124_https_s4 - [0:0]
:in_public_lan_124_icmp_s2 - [0:0]
:in_public_lan_124_irc_c7 - [0:0]
:in_public_lan_125 - [0:0]
:in_public_lan_125_all_c6 - [0:0]
:in_public_lan_125_dns_s1 - [0:0]
:in_public_lan_125_ftp_c8 - [0:0]
:in_public_lan_125_ftp_s5 - [0:0]
:in_public_lan_125_http_s3 - [0:0]
:in_public_lan_125_https_s4 - [0:0]
:in_public_lan_125_icmp_s2 - [0:0]
:in_public_lan_125_irc_c7 - [0:0]
:out_lan - [0:0]
:out_lan_all_c7 - [0:0]
:out_lan_dns_s1 - [0:0]
:out_lan_ftp_c9 - [0:0]
:out_lan_ftp_s6 - [0:0]
:out_lan_http_s2 - [0:0]
:out_lan_https_s3 - [0:0]
:out_lan_icmp_s5 - [0:0]
:out_lan_irc_c8 - [0:0]
:out_lan_ssh_s4 - [0:0]
:out_public_lan_124 - [0:0]
:out_public_lan_124_all_c6 - [0:0]
:out_public_lan_124_dns_s1 - [0:0]
:out_public_lan_124_ftp_c8 - [0:0]
:out_public_lan_124_ftp_s5 - [0:0]
:out_public_lan_124_http_s3 - [0:0]
:out_public_lan_124_https_s4 - [0:0]
:out_public_lan_124_icmp_s2 - [0:0]
:out_public_lan_124_irc_c7 - [0:0]
:out_public_lan_125 - [0:0]
:out_public_lan_125_all_c6 - [0:0]
:out_public_lan_125_dns_s1 - [0:0]
:out_public_lan_125_ftp_c8 - [0:0]
:out_public_lan_125_ftp_s5 - [0:0]
:out_public_lan_125_http_s3 - [0:0]
:out_public_lan_125_https_s4 - [0:0]
:out_public_lan_125_icmp_s2 - [0:0]
:out_public_lan_125_irc_c7 - [0:0]
:pr_lan_fragments - [0:0]
:pr_lan_icmpflood - [0:0]
:pr_lan_malbad - [0:0]
:pr_lan_malnull - [0:0]
:pr_lan_malxmas - [0:0]
:pr_lan_nosyn - [0:0]
:pr_lan_synflood - [0:0]
:pr_public_lan_124_fragments - [0:0]
:pr_public_lan_124_icmpflood - [0:0]
:pr_public_lan_124_malbad - [0:0]
:pr_public_lan_124_malnull - [0:0]
:pr_public_lan_124_malxmas - [0:0]
:pr_public_lan_124_nosyn - [0:0]
:pr_public_lan_124_synflood - [0:0]
:pr_public_lan_125_fragments - [0:0]
:pr_public_lan_125_icmpflood - [0:0]
:pr_public_lan_125_malbad - [0:0]
:pr_public_lan_125_malnull - [0:0]
:pr_public_lan_125_malxmas - [0:0]
:pr_public_lan_125_nosyn - [0:0]
:pr_public_lan_125_synflood - [0:0]
-A INPUT -i lo -j ACCEPT 
-A INPUT -d 192.168.30.103 -i eth0 -j in_lan 
-A INPUT -d 192.168.100.2 -i eth0:0 -j in_public_lan_124 
-A INPUT -d 192.168.100.5 -i eth0:1 -j in_public_lan_125 
-A INPUT -m state --state RELATED -j ACCEPT 
-A INPUT -m limit --limit 1/sec -j ULOG --ulog-prefix "'IN-unknown:'" 
-A INPUT -j DROP 
-A FORWARD -m state --state RELATED -j ACCEPT 
-A FORWARD -m limit --limit 1/sec -j ULOG --ulog-prefix "'PASS-unknown:'" 
-A FORWARD -j DROP 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -s 192.168.30.103 -o eth0 -j out_lan 
-A OUTPUT -s 192.168.100.2 -o eth0:0 -j out_public_lan_124 
-A OUTPUT -s 192.168.100.5 -o eth0:1 -j out_public_lan_125 
-A OUTPUT -m state --state RELATED -j ACCEPT 
-A OUTPUT -m limit --limit 1/sec -j ULOG --ulog-prefix "'OUT-unknown:'" 
-A OUTPUT -j DROP 
-A in_lan -m state --state INVALID -j DROP 
-A in_lan -f -j pr_lan_fragments 
-A in_lan -p tcp -m state --state NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j pr_lan_nosyn 
-A in_lan -p icmp -m icmp --icmp-type 8 -j pr_lan_icmpflood 
-A in_lan -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j pr_lan_synflood 
-A in_lan -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j pr_lan_malxmas 
-A in_lan -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j pr_lan_malnull 
-A in_lan -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j pr_lan_malbad 
-A in_lan -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j pr_lan_malbad 
-A in_lan -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j pr_lan_malbad 
-A in_lan -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j pr_lan_malbad 
-A in_lan -j in_lan_dns_s1 
-A in_lan -j in_lan_http_s2 
-A in_lan -j in_lan_https_s3 
-A in_lan -j in_lan_ssh_s4 
-A in_lan -j in_lan_icmp_s5 
-A in_lan -j in_lan_ftp_s6 
-A in_lan -j in_lan_all_c7 
-A in_lan -j in_lan_irc_c8 
-A in_lan -j in_lan_ftp_c9 
-A in_lan -m state --state RELATED -j ACCEPT 
-A in_lan -m limit --limit 1/sec -j ULOG --ulog-prefix "''IN-lan':'" 
-A in_lan -j DROP 
-A in_lan_all_c7 -m state --state ESTABLISHED -j ACCEPT 
-A in_lan_dns_s1 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A in_lan_dns_s1 -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A in_lan_ftp_c9 -p tcp -m tcp --sport 21 --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT 
-A in_lan_ftp_c9 -p tcp -m tcp --sport 20 --dport 32768:61000 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A in_lan_ftp_c9 -p tcp -m tcp --sport 1000:65535 --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT 
-A in_lan_ftp_s6 -p tcp -m tcp --sport 1000:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A in_lan_ftp_s6 -p tcp -m tcp --sport 1000:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT 
-A in_lan_ftp_s6 -p tcp -m tcp --sport 1000:65535 --dport 32768:61000 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A in_lan_http_s2 -p tcp -m tcp --sport 1000:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A in_lan_https_s3 -p tcp -m tcp --sport 1000:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A in_lan_icmp_s5 -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT 
-A in_lan_irc_c8 -p tcp -m tcp --sport 6667 --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT 
-A in_lan_ssh_s4 -p tcp -m tcp --sport 1000:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A in_public_lan_124 -m state --state INVALID -j DROP 
-A in_public_lan_124 -f -j pr_public_lan_124_fragments 
-A in_public_lan_124 -p tcp -m state --state NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j pr_public_lan_124_nosyn 
-A in_public_lan_124 -p icmp -m icmp --icmp-type 8 -j pr_public_lan_124_icmpflood 
-A in_public_lan_124 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j pr_public_lan_124_synflood 
-A in_public_lan_124 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j pr_public_lan_124_malxmas 
-A in_public_lan_124 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j pr_public_lan_124_malnull 
-A in_public_lan_124 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j pr_public_lan_124_malbad 
-A in_public_lan_124 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j pr_public_lan_124_malbad 
-A in_public_lan_124 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j pr_public_lan_124_malbad 
-A in_public_lan_124 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j pr_public_lan_124_malbad 
-A in_public_lan_124 -j in_public_lan_124_dns_s1 
-A in_public_lan_124 -j in_public_lan_124_icmp_s2 
-A in_public_lan_124 -j in_public_lan_124_http_s3 
-A in_public_lan_124 -j in_public_lan_124_https_s4 
-A in_public_lan_124 -j in_public_lan_124_ftp_s5 
-A in_public_lan_124 -j in_public_lan_124_all_c6 
-A in_public_lan_124 -j in_public_lan_124_irc_c7 
-A in_public_lan_124 -j in_public_lan_124_ftp_c8 
-A in_public_lan_124 -m state --state RELATED -j ACCEPT 
-A in_public_lan_124 -m limit --limit 1/sec -j ULOG --ulog-prefix "''IN-public_lan_124':'" 
-A in_public_lan_124 -j DROP 
-A in_public_lan_124_all_c6 -m state --state ESTABLISHED -j ACCEPT 
-A in_public_lan_124_dns_s1 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A in_public_lan_124_dns_s1 -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A in_public_lan_124_ftp_c8 -p tcp -m tcp --sport 21 --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT 
-A in_public_lan_124_ftp_c8 -p tcp -m tcp --sport 20 --dport 32768:61000 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A in_public_lan_124_ftp_c8 -p tcp -m tcp --sport 1000:65535 --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT 
-A in_public_lan_124_ftp_s5 -p tcp -m tcp --sport 1000:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A in_public_lan_124_ftp_s5 -p tcp -m tcp --sport 1000:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT 
-A in_public_lan_124_ftp_s5 -p tcp -m tcp --sport 1000:65535 --dport 32768:61000 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A in_public_lan_124_http_s3 -p tcp -m tcp --sport 1000:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A in_public_lan_124_https_s4 -p tcp -m tcp --sport 1000:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A in_public_lan_124_icmp_s2 -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT 
-A in_public_lan_124_irc_c7 -p tcp -m tcp --sport 6667 --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT 
-A in_public_lan_125 -m state --state INVALID -j DROP 
-A in_public_lan_125 -f -j pr_public_lan_125_fragments 
-A in_public_lan_125 -p tcp -m state --state NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j pr_public_lan_125_nosyn 
-A in_public_lan_125 -p icmp -m icmp --icmp-type 8 -j pr_public_lan_125_icmpflood 
-A in_public_lan_125 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j pr_public_lan_125_synflood 
-A in_public_lan_125 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j pr_public_lan_125_malxmas 
-A in_public_lan_125 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j pr_public_lan_125_malnull 
-A in_public_lan_125 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j pr_public_lan_125_malbad 
-A in_public_lan_125 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j pr_public_lan_125_malbad 
-A in_public_lan_125 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j pr_public_lan_125_malbad 
-A in_public_lan_125 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j pr_public_lan_125_malbad 
-A in_public_lan_125 -j in_public_lan_125_dns_s1 
-A in_public_lan_125 -j in_public_lan_125_icmp_s2 
-A in_public_lan_125 -j in_public_lan_125_http_s3 
-A in_public_lan_125 -j in_public_lan_125_https_s4 
-A in_public_lan_125 -j in_public_lan_125_ftp_s5 
-A in_public_lan_125 -j in_public_lan_125_all_c6 
-A in_public_lan_125 -j in_public_lan_125_irc_c7 
-A in_public_lan_125 -j in_public_lan_125_ftp_c8 
-A in_public_lan_125 -m state --state RELATED -j ACCEPT 
-A in_public_lan_125 -m limit --limit 1/sec -j ULOG --ulog-prefix "''IN-public_lan_125':'" 
-A in_public_lan_125 -j DROP 
-A in_public_lan_125_all_c6 -m state --state ESTABLISHED -j ACCEPT 
-A in_public_lan_125_dns_s1 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A in_public_lan_125_dns_s1 -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A in_public_lan_125_ftp_c8 -p tcp -m tcp --sport 21 --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT 
-A in_public_lan_125_ftp_c8 -p tcp -m tcp --sport 20 --dport 32768:61000 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A in_public_lan_125_ftp_c8 -p tcp -m tcp --sport 1000:65535 --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT 
-A in_public_lan_125_ftp_s5 -p tcp -m tcp --sport 1000:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A in_public_lan_125_ftp_s5 -p tcp -m tcp --sport 1000:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT 
-A in_public_lan_125_ftp_s5 -p tcp -m tcp --sport 1000:65535 --dport 32768:61000 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A in_public_lan_125_http_s3 -p tcp -m tcp --sport 1000:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A in_public_lan_125_https_s4 -p tcp -m tcp --sport 1000:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A in_public_lan_125_icmp_s2 -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT 
-A in_public_lan_125_irc_c7 -p tcp -m tcp --sport 6667 --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT 
-A out_lan -j out_lan_dns_s1 
-A out_lan -j out_lan_http_s2 
-A out_lan -j out_lan_https_s3 
-A out_lan -j out_lan_ssh_s4 
-A out_lan -j out_lan_icmp_s5 
-A out_lan -j out_lan_ftp_s6 
-A out_lan -j out_lan_all_c7 
-A out_lan -j out_lan_irc_c8 
-A out_lan -j out_lan_ftp_c9 
-A out_lan -m state --state RELATED -j ACCEPT 
-A out_lan -m limit --limit 1/sec -j ULOG --ulog-prefix "''OUT-lan':'" 
-A out_lan -j DROP 
-A out_lan_all_c7 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A out_lan_dns_s1 -p udp -m udp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A out_lan_dns_s1 -p tcp -m tcp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A out_lan_ftp_c9 -p tcp -m tcp --sport 32768:61000 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A out_lan_ftp_c9 -p tcp -m tcp --sport 32768:61000 --dport 20 -m state --state ESTABLISHED -j ACCEPT 
-A out_lan_ftp_c9 -p tcp -m tcp --sport 32768:61000 --dport 1000:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A out_lan_ftp_s6 -p tcp -m tcp --sport 21 --dport 1000:65535 -m state --state ESTABLISHED -j ACCEPT 
-A out_lan_ftp_s6 -p tcp -m tcp --sport 20 --dport 1000:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A out_lan_ftp_s6 -p tcp -m tcp --sport 32768:61000 --dport 1000:65535 -m state --state ESTABLISHED -j ACCEPT 
-A out_lan_http_s2 -p tcp -m tcp --sport 80 --dport 1000:65535 -m state --state ESTABLISHED -j ACCEPT 
-A out_lan_https_s3 -p tcp -m tcp --sport 443 --dport 1000:65535 -m state --state ESTABLISHED -j ACCEPT 
-A out_lan_icmp_s5 -p icmp -m state --state ESTABLISHED -j ACCEPT 
-A out_lan_irc_c8 -p tcp -m tcp --sport 32768:61000 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A out_lan_ssh_s4 -p tcp -m tcp --sport 22 --dport 1000:65535 -m state --state ESTABLISHED -j ACCEPT 
-A out_public_lan_124 -j out_public_lan_124_dns_s1 
-A out_public_lan_124 -j out_public_lan_124_icmp_s2 
-A out_public_lan_124 -j out_public_lan_124_http_s3 
-A out_public_lan_124 -j out_public_lan_124_https_s4 
-A out_public_lan_124 -j out_public_lan_124_ftp_s5 
-A out_public_lan_124 -j out_public_lan_124_all_c6 
-A out_public_lan_124 -j out_public_lan_124_irc_c7 
-A out_public_lan_124 -j out_public_lan_124_ftp_c8 
-A out_public_lan_124 -m state --state RELATED -j ACCEPT 
-A out_public_lan_124 -m limit --limit 1/sec -j ULOG --ulog-prefix "''OUT-public_lan_124':'" 
-A out_public_lan_124 -j DROP 
-A out_public_lan_124_all_c6 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A out_public_lan_124_dns_s1 -p udp -m udp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A out_public_lan_124_dns_s1 -p tcp -m tcp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A out_public_lan_124_ftp_c8 -p tcp -m tcp --sport 32768:61000 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A out_public_lan_124_ftp_c8 -p tcp -m tcp --sport 32768:61000 --dport 20 -m state --state ESTABLISHED -j ACCEPT 
-A out_public_lan_124_ftp_c8 -p tcp -m tcp --sport 32768:61000 --dport 1000:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A out_public_lan_124_ftp_s5 -p tcp -m tcp --sport 21 --dport 1000:65535 -m state --state ESTABLISHED -j ACCEPT 
-A out_public_lan_124_ftp_s5 -p tcp -m tcp --sport 20 --dport 1000:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A out_public_lan_124_ftp_s5 -p tcp -m tcp --sport 32768:61000 --dport 1000:65535 -m state --state ESTABLISHED -j ACCEPT 
-A out_public_lan_124_http_s3 -p tcp -m tcp --sport 80 --dport 1000:65535 -m state --state ESTABLISHED -j ACCEPT 
-A out_public_lan_124_https_s4 -p tcp -m tcp --sport 443 --dport 1000:65535 -m state --state ESTABLISHED -j ACCEPT 
-A out_public_lan_124_icmp_s2 -p icmp -m state --state ESTABLISHED -j ACCEPT 
-A out_public_lan_124_irc_c7 -p tcp -m tcp --sport 32768:61000 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A out_public_lan_125 -j out_public_lan_125_dns_s1 
-A out_public_lan_125 -j out_public_lan_125_icmp_s2 
-A out_public_lan_125 -j out_public_lan_125_http_s3 
-A out_public_lan_125 -j out_public_lan_125_https_s4 
-A out_public_lan_125 -j out_public_lan_125_ftp_s5 
-A out_public_lan_125 -j out_public_lan_125_all_c6 
-A out_public_lan_125 -j out_public_lan_125_irc_c7 
-A out_public_lan_125 -j out_public_lan_125_ftp_c8 
-A out_public_lan_125 -m state --state RELATED -j ACCEPT 
-A out_public_lan_125 -m limit --limit 1/sec -j ULOG --ulog-prefix "''OUT-public_lan_125':'" 
-A out_public_lan_125 -j DROP 
-A out_public_lan_125_all_c6 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A out_public_lan_125_dns_s1 -p udp -m udp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A out_public_lan_125_dns_s1 -p tcp -m tcp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A out_public_lan_125_ftp_c8 -p tcp -m tcp --sport 32768:61000 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A out_public_lan_125_ftp_c8 -p tcp -m tcp --sport 32768:61000 --dport 20 -m state --state ESTABLISHED -j ACCEPT 
-A out_public_lan_125_ftp_c8 -p tcp -m tcp --sport 32768:61000 --dport 1000:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A out_public_lan_125_ftp_s5 -p tcp -m tcp --sport 21 --dport 1000:65535 -m state --state ESTABLISHED -j ACCEPT 
-A out_public_lan_125_ftp_s5 -p tcp -m tcp --sport 20 --dport 1000:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A out_public_lan_125_ftp_s5 -p tcp -m tcp --sport 32768:61000 --dport 1000:65535 -m state --state ESTABLISHED -j ACCEPT 
-A out_public_lan_125_http_s3 -p tcp -m tcp --sport 80 --dport 1000:65535 -m state --state ESTABLISHED -j ACCEPT 
-A out_public_lan_125_https_s4 -p tcp -m tcp --sport 443 --dport 1000:65535 -m state --state ESTABLISHED -j ACCEPT 
-A out_public_lan_125_icmp_s2 -p icmp -m state --state ESTABLISHED -j ACCEPT 
-A out_public_lan_125_irc_c7 -p tcp -m tcp --sport 32768:61000 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A pr_lan_fragments -m limit --limit 1/sec -j ULOG --ulog-prefix "'PACKET FRAGMENTS:'" 
-A pr_lan_fragments -j DROP 
-A pr_lan_icmpflood -m limit --limit 100/sec --limit-burst 50 -j RETURN 
-A pr_lan_icmpflood -m limit --limit 1/sec -j ULOG --ulog-prefix "'ICMP FLOOD:'" 
-A pr_lan_icmpflood -j DROP 
-A pr_lan_malbad -m limit --limit 1/sec -j ULOG --ulog-prefix "'MALFORMED BAD:'" 
-A pr_lan_malbad -j DROP 
-A pr_lan_malnull -m limit --limit 1/sec -j ULOG --ulog-prefix "'MALFORMED NULL:'" 
-A pr_lan_malnull -j DROP 
-A pr_lan_malxmas -m limit --limit 1/sec -j ULOG --ulog-prefix "'MALFORMED XMAS:'" 
-A pr_lan_malxmas -j DROP 
-A pr_lan_nosyn -m limit --limit 1/sec -j ULOG --ulog-prefix "'NEW TCP w/o SYN:'" 
-A pr_lan_nosyn -j DROP 
-A pr_lan_synflood -m limit --limit 100/sec --limit-burst 50 -j RETURN 
-A pr_lan_synflood -m limit --limit 1/sec -j ULOG --ulog-prefix "'SYN FLOOD:'" 
-A pr_lan_synflood -j DROP 
-A pr_public_lan_124_fragments -m limit --limit 1/sec -j ULOG --ulog-prefix "'PACKET FRAGMENTS:'" 
-A pr_public_lan_124_fragments -j DROP 
-A pr_public_lan_124_icmpflood -m limit --limit 100/sec --limit-burst 50 -j RETURN 
-A pr_public_lan_124_icmpflood -m limit --limit 1/sec -j ULOG --ulog-prefix "'ICMP FLOOD:'" 
-A pr_public_lan_124_icmpflood -j DROP 
-A pr_public_lan_124_malbad -m limit --limit 1/sec -j ULOG --ulog-prefix "'MALFORMED BAD:'" 
-A pr_public_lan_124_malbad -j DROP 
-A pr_public_lan_124_malnull -m limit --limit 1/sec -j ULOG --ulog-prefix "'MALFORMED NULL:'" 
-A pr_public_lan_124_malnull -j DROP 
-A pr_public_lan_124_malxmas -m limit --limit 1/sec -j ULOG --ulog-prefix "'MALFORMED XMAS:'" 
-A pr_public_lan_124_malxmas -j DROP 
-A pr_public_lan_124_nosyn -m limit --limit 1/sec -j ULOG --ulog-prefix "'NEW TCP w/o SYN:'" 
-A pr_public_lan_124_nosyn -j DROP 
-A pr_public_lan_124_synflood -m limit --limit 100/sec --limit-burst 50 -j RETURN 
-A pr_public_lan_124_synflood -m limit --limit 1/sec -j ULOG --ulog-prefix "'SYN FLOOD:'" 
-A pr_public_lan_124_synflood -j DROP 
-A pr_public_lan_125_fragments -m limit --limit 1/sec -j ULOG --ulog-prefix "'PACKET FRAGMENTS:'" 
-A pr_public_lan_125_fragments -j DROP 
-A pr_public_lan_125_icmpflood -m limit --limit 100/sec --limit-burst 50 -j RETURN 
-A pr_public_lan_125_icmpflood -m limit --limit 1/sec -j ULOG --ulog-prefix "'ICMP FLOOD:'" 
-A pr_public_lan_125_icmpflood -j DROP 
-A pr_public_lan_125_malbad -m limit --limit 1/sec -j ULOG --ulog-prefix "'MALFORMED BAD:'" 
-A pr_public_lan_125_malbad -j DROP 
-A pr_public_lan_125_malnull -m limit --limit 1/sec -j ULOG --ulog-prefix "'MALFORMED NULL:'" 
-A pr_public_lan_125_malnull -j DROP 
-A pr_public_lan_125_malxmas -m limit --limit 1/sec -j ULOG --ulog-prefix "'MALFORMED XMAS:'" 
-A pr_public_lan_125_malxmas -j DROP 
-A pr_public_lan_125_nosyn -m limit --limit 1/sec -j ULOG --ulog-prefix "'NEW TCP w/o SYN:'" 
-A pr_public_lan_125_nosyn -j DROP 
-A pr_public_lan_125_synflood -m limit --limit 100/sec --limit-burst 50 -j RETURN 
-A pr_public_lan_125_synflood -m limit --limit 1/sec -j ULOG --ulog-prefix "'SYN FLOOD:'" 
-A pr_public_lan_125_synflood -j DROP 
COMMIT
# Completed on Fri May  4 11:56:26 2007

Reply to:

Follow-Ups:
- Re: Problem with iptables
  - From: "Karl E. Jorgensen" <karl@jorgensen.org.uk>

References:
- Problem with iptables
  - From: Pierguido <pierg75@yahoo.it>
- Re: Problem with iptables
  - From: "Karl E. Jorgensen" <karl@jorgensen.org.uk>
- Re: Problem with iptables
  - From: Pierguido <pierg75@yahoo.it>
- Re: Problem with iptables
  - From: "Octavio Alvarez" <alvarezp@alvarezp.ods.org>
- Re: Problem with iptables
  - From: Pierguido <pierg75@yahoo.it>

Prev by Date: Re: Problem with iptables
Next by Date: Re: Dangers of "stable" in sources.list
Previous by thread: Re: Problem with iptables
Next by thread: Re: Problem with iptables
Index(es):
- Date
- Thread