Jesse Molina wrote:
The output of the command "iptables-save" would be useful to us. As
would an "ip addr" or "ifconfig -a", on BOTH the server and the
firewall.
The actual error messages would be useful as well.
If you don't want to fix it, which would be contrary to the fact that
you told us all about it, there are a number of other Linux or
FreeBSD/OpenBSD firewall projects -- google can help you find the way.
If you want to go commercial, Juniper/Netscreen, Cisco ASA/PIX, and
checkpoint are quite common. I don't care for Watchguard, SonicWall,
or other firewall vendors much.
Chris Davies wrote:
Hello,
new to this place, so Hi everyone.
I run a few servers on my network and am having problems with my
firewall.
I am finishing up my imap server but I can't connect to it, the
error my
firewall spits out is that it is a
spoofed mac address (on the server side), I can connect to the
local
address' but will not anywhere where it has to go through my fw
I run Debian 3.01(sarge) with Exim4, Dovecot imap w/maildir, also I
have
4 virtual IPs on this server, for intra(extra)nets.
My firewall is Astaro Security Linux 6.
My question is what is a good firewall these days, because I have
about
had it with this one.
Thanx
Chris
Message from log --->
2006:07:21-00:42:52 ulogd[1782]: IP-SPOOFING DROP: IN=eth0 OUT=
MAC=00:01:02:66:65:9a:00:11:09:84:f3:2c:08:00 SRC=192.168.2.105
DST=69.20.153.137 LEN=60 TOS=10 PREC=0x00 TTL=64 ID=42174 CE DF
PROTO=TCP SPT=59941 DPT=143 SEQ=1895368652 ACK=0 WINDOW=5840 SYN URGP=0
# Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
*nat
:AUTO_OUTPUT - [0:0]
:AUTO_POST - [0:0]
:AUTO_PRE - [0:0]
:PREROUTING ACCEPT [684764:90790281]
:POSTROUTING ACCEPT [810702:54559262]
:OUTPUT ACCEPT [38180:5648519]
:USR_OUTPUT - [0:0]
:USR_POST - [0:0]
:USR_PRE - [0:0]
-A PREROUTING -j AUTO_PRE
-A PREROUTING -j USR_PRE
-A POSTROUTING -j AUTO_POST
-A POSTROUTING -j USR_POST
-A OUTPUT -j AUTO_OUTPUT
-A OUTPUT -j USR_OUTPUT
-A USR_OUTPUT -d 69.20.153.137 -p tcp -m tcp --sport 1024:65535 --dport
80 -j DNAT --to-destination 192.168.1.110
-A USR_OUTPUT -d 69.20.153.128/255.255.255.240 -p tcp -m tcp --sport
1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
-A USR_OUTPUT -d 69.20.153.128/255.255.255.240 -p udp -m udp --sport
1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
-A USR_OUTPUT -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport 25
-j DNAT --to-destination 192.168.1.100
-A USR_OUTPUT -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport
6881 -j DNAT --to-destination 192.168.2.105
-A USR_OUTPUT -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport
6881 -j DNAT --to-destination 192.168.2.105
-A USR_OUTPUT -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport
4444 -j DNAT --to-destination 192.168.2.105
-A USR_POST -s 192.168.1.0/255.255.255.0 -o eth2 -j MASQUERADE
-A USR_POST -s 192.168.2.0/255.255.255.0 -o eth2 -j MASQUERADE
-A USR_PRE -d 69.20.153.137 -p tcp -m tcp --sport 1024:65535 --dport 80
-j DNAT --to-destination 192.168.1.110
-A USR_PRE -d 69.20.153.128/255.255.255.240 -p tcp -m tcp --sport
1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
-A USR_PRE -d 69.20.153.128/255.255.255.240 -p udp -m udp --sport
1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
-A USR_PRE -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport 25 -j
DNAT --to-destination 192.168.1.100
-A USR_PRE -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport 6881
-j DNAT --to-destination 192.168.2.105
-A USR_PRE -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport 6881
-j DNAT --to-destination 192.168.2.105
-A USR_PRE -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport 4444
-j DNAT --to-destination 192.168.2.105
COMMIT
# Completed on Fri Jul 21 01:30:07 2006
# Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
*ips
:PREROUTING ACCEPT [85268420:58804227617]
:INPUT ACCEPT [71920:73703193]
:FORWARD ACCEPT [18409:10865526]
:OUTPUT ACCEPT [51149:7744091]
:POSTROUTING ACCEPT [85257053:58524784864]
COMMIT
# Completed on Fri Jul 21 01:30:07 2006
# Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
*mangle
:INVALID_PKT - [0:0]
:POLICY_ROUTING_OUT - [0:0]
:POLICY_ROUTING_PRE - [0:0]
:PREROUTING ACCEPT [85268432:58804228448]
:INPUT ACCEPT [6933573:1948839077]
:FORWARD ACCEPT [78333312:56855205229]
:OUTPUT ACCEPT [7027235:1676138656]
:POSTROUTING ACCEPT [67282614:56180797304]
:SET_PRIO_HIGH - [0:0]
:SET_PRIO_LOW - [0:0]
-A INVALID_PKT -j ULOG --ulog-prefix "INVALID_PKT: " --ulog-cprange 40
--ulog-qthreshold 50
-A INVALID_PKT -j DROP
-A PREROUTING -p icmp -m length --length 20:21 -j INVALID_PKT
-A PREROUTING -p icmp -m icmp --icmp-type 5 -j ULOG --ulog-prefix "ICMP
REDIRECT: " --ulog-cprange 40 --ulog-qthreshold 50
-A PREROUTING -j POLICY_ROUTING_PRE
-A PREROUTING -p tcp -m length --length 20:39 -j INVALID_PKT
-A PREROUTING -p udp -m length --length 20:27 -j INVALID_PKT
-A PREROUTING -p icmp -m length --length 20:21 -j INVALID_PKT
-A PREROUTING -m state --state RELATED -m helper --helper "ftp" -j ULOG
--ulog-prefix "FTP_DATA: " --ulog-cprange 40 --ulog-qthreshold 50
-A PREROUTING -s ! 127.0.0.0/255.0.0.0 -d ! 127.0.0.0/255.0.0.0 -p udp
-m udp --sport 53:65535 --dport 53 -m u32 --u32
0x0>>0x16&0x3c@0x8>>0xf&0x1=0x0 -j ULOG --ulog-prefix "DNS_REQUEST: "
--ulog-cprange 40 --ulog-qthreshold 50
-A PREROUTING -s ! 127.0.0.0/255.0.0.0 -d ! 127.0.0.0/255.0.0.0 -p tcp
-m tcp --sport 53:65535 --dport 53 -m u32 --u32
0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0>>0xf&0x1=0x0 -j ULOG --ulog-prefix
"DNS_REQUEST: " --ulog-cprange 40 --ulog-qthreshold 50
-A OUTPUT -j POLICY_ROUTING_OUT
-A POSTROUTING -o lo -j ACCEPT
-A POSTROUTING -p tcp -m tcp --tcp-flags ACK ACK -m length --length
50:100 -j SET_PRIO_HIGH
-A POSTROUTING -m tos --tos Minimize-Delay -j SET_PRIO_HIGH
-A POSTROUTING -p icmp -j SET_PRIO_HIGH
-A SET_PRIO_HIGH -j CLASSIFY --set-class 0000:0008
-A SET_PRIO_HIGH -j ACCEPT
-A SET_PRIO_LOW -j CLASSIFY --set-class 0000:0005
-A SET_PRIO_LOW -j ACCEPT
COMMIT
# Completed on Fri Jul 21 01:30:07 2006
# Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
*raw
:ICMP_FLOOD - [0:0]
:ICMP_FLOOD_DROP - [0:0]
:ICMP_FLOOD_DST - [0:0]
:ICMP_FLOOD_SRC - [0:0]
:LOCAL_TRAFFIC - [0:0]
:PREROUTING ACCEPT [144:6172]
:OUTPUT ACCEPT [913592:160544115]
:SYN_FLOOD - [0:0]
:SYN_FLOOD_DROP - [0:0]
:SYN_FLOOD_DST - [0:0]
:SYN_FLOOD_SRC - [0:0]
:UDP_FLOOD - [0:0]
:UDP_FLOOD_DROP - [0:0]
:UDP_FLOOD_DST - [0:0]
:UDP_FLOOD_SRC - [0:0]
-A ICMP_FLOOD -j ICMP_FLOOD_SRC
-A ICMP_FLOOD_DROP -m limit --limit 5/sec -j ULOG --ulog-prefix
"ICMP_FLOOD: " --ulog-cprange 40 --ulog-qthreshold 50
-A ICMP_FLOOD_DROP -j DROP
-A ICMP_FLOOD_DST -m hashlimit --hashlimit 5/sec --hashlimit-burst 2
--hashlimit-mode dstip --hashlimit-name ICMP_FLOOD_DST -j ACCEPT
-A ICMP_FLOOD_DST -j ICMP_FLOOD_DROP
-A ICMP_FLOOD_SRC -m hashlimit --hashlimit 5/sec --hashlimit-burst 2
--hashlimit-mode srcip --hashlimit-name ICMP_FLOOD_SRC -j ICMP_FLOOD_DST
-A ICMP_FLOOD_SRC -j ICMP_FLOOD_DROP
-A LOCAL_TRAFFIC -j NOTRACK
-A LOCAL_TRAFFIC -j ACCEPT
-A LOCAL_TRAFFIC -j NOTRACK
-A LOCAL_TRAFFIC -j ACCEPT
-A PREROUTING -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j
LOCAL_TRAFFIC
-A PREROUTING -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j
LOCAL_TRAFFIC
-A PREROUTING -p tcp -j SYN_FLOOD
-A PREROUTING -p udp -j UDP_FLOOD
-A PREROUTING -p icmp -j ICMP_FLOOD
-A OUTPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j LOCAL_TRAFFIC
-A OUTPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j LOCAL_TRAFFIC
-A SYN_FLOOD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A SYN_FLOOD -j SYN_FLOOD_SRC
-A SYN_FLOOD_DROP -m limit --limit 5/sec -j ULOG --ulog-prefix
"SYN_FLOOD: " --ulog-cprange 40 --ulog-qthreshold 50
-A SYN_FLOOD_DROP -j DROP
-A SYN_FLOOD_DST -m hashlimit --hashlimit 200/sec --hashlimit-burst 30
--hashlimit-mode dstip --hashlimit-name SYN_FLOOD_DST -j ACCEPT
-A SYN_FLOOD_DST -j SYN_FLOOD_DROP
-A SYN_FLOOD_SRC -m hashlimit --hashlimit 100/sec --hashlimit-burst 30
--hashlimit-mode srcip --hashlimit-name SYN_FLOOD_SRC -j SYN_FLOOD_DST
-A SYN_FLOOD_SRC -j SYN_FLOOD_DROP
-A UDP_FLOOD -j UDP_FLOOD_SRC
-A UDP_FLOOD_DROP -m limit --limit 5/sec -j ULOG --ulog-prefix
"UDP_FLOOD: " --ulog-cprange 40 --ulog-qthreshold 50
-A UDP_FLOOD_DROP -j DROP
-A UDP_FLOOD_DST -m hashlimit --hashlimit 303/sec --hashlimit-burst 60
--hashlimit-mode dstip --hashlimit-name UDP_FLOOD_DST -j ACCEPT
-A UDP_FLOOD_DST -j UDP_FLOOD_DROP
-A UDP_FLOOD_SRC -m hashlimit --hashlimit 200/sec --hashlimit-burst 60
--hashlimit-mode srcip --hashlimit-name UDP_FLOOD_SRC -j UDP_FLOOD_DST
-A UDP_FLOOD_SRC -j UDP_FLOOD_DROP
COMMIT
# Completed on Fri Jul 21 01:30:07 2006
# Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
*filter
:AUTO_FORWARD - [0:0]
:AUTO_INPUT - [0:0]
:AUTO_OUTPUT - [0:0]
:HA - [0:0]
:INPUT DROP [3:534]
:FORWARD DROP [0:0]
:INVALID_PKT - [0:0]
:LOGACCEPT - [0:0]
:LOGDROP - [0:0]
:LOGREJECT - [0:0]
:OUTPUT DROP [4:224]
:PSD_ACTION - [0:0]
:PSD_MATCH - [0:0]
:SANITY_CHECKS - [0:0]
:SPOOFING_PROTECTION - [0:0]
:SPOOF_DROP - [0:0]
:STRICT_TCP_STATE - [0:0]
:USR_FORWARD - [0:0]
:USR_INPUT - [0:0]
:USR_OUTPUT - [0:0]
-A AUTO_FORWARD -p icmp -m icmp --icmp-type 8/0 -j CONFIRMED
-A AUTO_FORWARD -p icmp -m icmp --icmp-type 0/0 -j CONFIRMED
-A AUTO_INPUT -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport 1:65535
--dport 22 -j CONFIRMED
-A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 22 -j LOGDROP
-A AUTO_INPUT -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 443 -j CONFIRMED
-A AUTO_INPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -j LOGDROP
-A AUTO_INPUT -p tcp -m tcp --sport 53:65535 --dport 53 -j CONFIRMED
-A AUTO_INPUT -p udp -m udp --sport 53:65535 --dport 53 -j CONFIRMED
-A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 25 -j LOGDROP
-A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 3840 -j CONFIRMED
-A AUTO_OUTPUT -d 216.180.176.3 -p tcp -m tcp --sport 53:65535 --dport
53 -m owner --cmd-owner named -j CONFIRMED
-A AUTO_OUTPUT -d 216.180.176.3 -p udp -m udp --sport 53:65535 --dport
53 -m owner --cmd-owner named -j CONFIRMED
-A AUTO_OUTPUT -d 69.20.128.5 -p tcp -m tcp --sport 53:65535 --dport 53
-m owner --cmd-owner named -j CONFIRMED
-A AUTO_OUTPUT -d 69.20.128.5 -p udp -m udp --sport 53:65535 --dport 53
-m owner --cmd-owner named -j CONFIRMED
-A AUTO_OUTPUT -d 69.20.129.5 -p tcp -m tcp --sport 53:65535 --dport 53
-m owner --cmd-owner named -j CONFIRMED
-A AUTO_OUTPUT -d 69.20.129.5 -p udp -m udp --sport 53:65535 --dport 53
-m owner --cmd-owner named -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 25 -m owner
--cmd-owner exim -j CONFIRMED
-A AUTO_OUTPUT -d 192.168.1.100 -p udp -m udp --sport 1:65535 --dport
514 -m owner --cmd-owner syslog-ng -j CONFIRMED
-A AUTO_OUTPUT -p udp -m udp --sport 1024:65535 --dport 33000:34000 -m
owner --cmd-owner netselect -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -m owner
--cmd-owner aus -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 443 -m owner
--cmd-owner aus -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -m owner
--cmd-owner pattern_aus -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 443 -m owner
--cmd-owner pattern_aus -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 21 -m owner
--cmd-owner wget -j CONFIRMED
-A INPUT -i lo -j ACCEPT
-A INPUT -m confirmed ERROR: UNKNOWN CONNMARK MATCH MODE -j ACCEPT
-A INPUT -m state --state RELATED -j CONFIRMED
-A INPUT -j SPOOFING_PROTECTION
-A INPUT -j HA
-A INPUT -j PSD_MATCH
-A INPUT -j SANITY_CHECKS
-A INPUT -j AUTO_INPUT
-A INPUT -j USR_INPUT
-A INPUT -j LOGDROP
-A FORWARD -m confirmed ERROR: UNKNOWN CONNMARK MATCH MODE -j ACCEPT
-A FORWARD -m state --state RELATED -j CONFIRMED
-A FORWARD -j SPOOFING_PROTECTION
-A FORWARD -j PSD_MATCH
-A FORWARD -j SANITY_CHECKS
-A FORWARD -j AUTO_FORWARD
-A FORWARD -j USR_FORWARD
-A FORWARD -j LOGDROP
-A INVALID_PKT -j ULOG --ulog-prefix "INVALID_PKT: " --ulog-cprange 40
--ulog-qthreshold 50
-A INVALID_PKT -j DROP
-A LOGACCEPT -j ULOG --ulog-prefix "ACCEPT: " --ulog-cprange 40
--ulog-qthreshold 50
-A LOGACCEPT -j CONFIRMED
-A LOGDROP -j ULOG --ulog-prefix "DROP: " --ulog-cprange 40
--ulog-qthreshold 50
-A LOGDROP -j DROP
-A LOGREJECT -j ULOG --ulog-prefix "REJECT: " --ulog-cprange 40
--ulog-qthreshold 50
-A LOGREJECT -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m confirmed ERROR: UNKNOWN CONNMARK MATCH MODE -j ACCEPT
-A OUTPUT -m state --state RELATED -j CONFIRMED
-A OUTPUT -j HA
-A OUTPUT -j SANITY_CHECKS
-A OUTPUT -j AUTO_OUTPUT
-A OUTPUT -j USR_OUTPUT
-A OUTPUT -j LOGDROP
-A PSD_ACTION -j ULOG --ulog-prefix "PORTSCAN: " --ulog-cprange 40
--ulog-qthreshold 50
-A PSD_ACTION -j DROP
-A PSD_MATCH -m psd --psd-weight-threshold 21 --psd-delay-threshold 300
--psd-lo-ports-weight 3 --psd-hi-ports-weight 1 -j PSD_ACTION
-A SANITY_CHECKS -p tcp -m tcp --sport 21 --dport 1:65535 --tcp-flags
SYN,RST,ACK RST -m state --state INVALID -j ACCEPT
-A SANITY_CHECKS -p tcp -m state --state NEW -j STRICT_TCP_STATE
-A SANITY_CHECKS -p tcp -m tcp --sport 1:65535 --dport 21 -m state
--state INVALID -j REJECT --reject-with tcp-reset
-A SANITY_CHECKS -p tcp -m state --state INVALID -j INVALID_PKT
-A SPOOFING_PROTECTION -s 192.168.2.5 -i eth0 -j SPOOF_DROP
-A SPOOFING_PROTECTION -d 192.168.2.5 -i ! eth0 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 192.168.1.0/255.255.255.0 -i eth0 -j
SPOOF_DROP
-A SPOOFING_PROTECTION -s 69.20.153.128/255.255.255.240 -i eth0 -j
SPOOF_DROP
-A SPOOFING_PROTECTION -s 192.168.1.1 -i eth1 -j SPOOF_DROP
-A SPOOFING_PROTECTION -d 192.168.1.1 -i ! eth1 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 192.168.2.0/255.255.255.0 -i eth1 -j
SPOOF_DROP
-A SPOOFING_PROTECTION -s 69.20.153.128/255.255.255.240 -i eth1 -j
SPOOF_DROP
-A SPOOFING_PROTECTION -s 69.20.153.137 -i eth2 -j SPOOF_DROP
-A SPOOFING_PROTECTION -d 69.20.153.137 -i ! eth2 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 192.168.2.0/255.255.255.0 -i eth2 -j
SPOOF_DROP
-A SPOOFING_PROTECTION -s 192.168.1.0/255.255.255.0 -i eth2 -j
SPOOF_DROP
-A SPOOF_DROP -j ULOG --ulog-prefix "IP-SPOOFING DROP: " --ulog-cprange
40 --ulog-qthreshold 50
-A SPOOF_DROP -j DROP
-A STRICT_TCP_STATE -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN
-A STRICT_TCP_STATE -p tcp -j INVALID_PKT
-A STRICT_TCP_STATE -p tcp -j DROP
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 80 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 20:21 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 21 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 443 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1:65535 --dport 110 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1:65535 --dport 25 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 23 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.100 -p tcp -m
tcp --sport 1024:65535 --dport 143 -j CONFIRMED
-A USR_FORWARD -p tcp -m tcp --sport 1:65535 --dport 53 -j CONFIRMED
-A USR_FORWARD -p udp -m udp --sport 1:65535 --dport 53 -j CONFIRMED
-A USR_FORWARD -d 192.168.1.100 -p tcp -m tcp --sport 1:65535 --dport 25
-j CONFIRMED
-A USR_FORWARD -s 192.168.1.100 -p tcp -m tcp --sport 1:65535 --dport 25
-j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1:65535 --dport 110 -j CONFIRMED
-A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1:65535 --dport 110 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1:65535 --dport 2703 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p udp -m udp --sport
1:65535 --dport 2703 -j CONFIRMED
-A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1:65535 --dport 2703 -j CONFIRMED
-A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p udp -m udp --sport
1:65535 --dport 2703 -j CONFIRMED
-A USR_FORWARD -d 192.168.1.100 -p tcp -m tcp --sport 1024:65535 --dport
143 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.100 -p tcp -m tcp --sport 1024:65535 --dport
143 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 80 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 20:21 -j CONFIRMED
-A USR_FORWARD -d 192.168.1.110 -p tcp -m tcp --sport 1024:65535 --dport
80 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 443 -j CONFIRMED
-A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 443 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --dport 22 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 25 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 10000 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 10000 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1024:65535 --dport 80 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 8000:8999 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 8000:8999 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 5500:5502 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 5500:5502 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 3306 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 3306 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.105 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.105 -p udp -m udp --sport 1:65535 --dport
4444 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 3001:3305 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 3001:3305 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 4441 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 4441 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
4242 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
4242 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
4441 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
4441 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 2100:2702 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 2100:2702 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 3307:3999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 3307:3999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 1024:2099 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 1024:2099 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 2704:2999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 2704:2999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 3001:3305 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 3001:3305 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 4441 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 4441 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
4242 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
4242 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
4441 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
4441 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 2100:2702 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 2100:2702 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 3307:3999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 3307:3999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 1024:2099 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 1024:2099 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 2704:2999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 2704:2999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -p tcp -m tcp --sport 123 --dport 123 -j CONFIRMED
-A USR_FORWARD -p udp -m udp --sport 123 --dport 123 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.2.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 2049 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.2.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 2049 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 2049 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 2049 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 514 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 514 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 5000 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 5000 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 514 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1024:65535 --dport 389 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1024:65535 --dport 389 -j CONFIRMED
-A USR_INPUT -d 192.168.2.255 -j DROP
-A USR_INPUT -d 192.168.1.255 -j DROP
-A USR_INPUT -d 255.255.255.255 -j DROP
COMMIT
# Completed on Fri Jul 21 01:30:07 2006
ip addr --->
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:01:02:66:65:9a brd ff:ff:ff:ff:ff:ff
inet 192.168.2.5/24 brd 192.168.2.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:08:c7:5b:26:09 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:50:8b:0e:07:a2 brd ff:ff:ff:ff:ff:ff
inet 69.20.153.137/28 brd 69.20.153.143 scope global eth2
********* end
ifconfig -a ----->
eth0 Link encap:Ethernet HWaddr 00:01:02:66:65:9A
inet addr:192.168.2.5 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:43248768 errors:4 dropped:0 overruns:0 frame:4
TX packets:35972974 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3994495514 (3809.4 Mb) TX bytes:2463271557
(2349.1 Mb)
Interrupt:169 Base address:0xdc00
eth1 Link encap:Ethernet HWaddr 00:08:C7:5B:26:09
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6956097 errors:0 dropped:0 overruns:0 frame:0
TX packets:10514182 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:111359643 (106.2 Mb) TX bytes:2215921769 (2113.2 Mb)
eth2 Link encap:Ethernet HWaddr 00:50:8B:0E:07:A2
inet addr:69.20.153.137 Bcast:69.20.153.143
Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:30327796 errors:0 dropped:0 overruns:0 frame:0
TX packets:32818577 errors:0 dropped:0 overruns:0 carrier:0
collisions:294358 txqueuelen:1000
RX bytes:2949179609 (2812.5 Mb) TX bytes:1976098120
(1884.5 Mb)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:6116295 errors:0 dropped:0 overruns:0 frame:0
TX packets:6116295 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1516135054 (1445.8 Mb) TX bytes:1516135054
(1445.8 Mb)
*************end
The purpose of listing my current config was to give anyone else an idea
of what i am now using (like to suggest just a iptables based solution
vs a larger cisco pix box, of witch would be over kill for my use) I
would like to switch to a different one but I would like some opinions
of what you have used and are happy with Vs getting a beta and having
security breaches, or if you could help me fix this one I would be very
appreciative.
Chris