Re: Firewall
Jesse Molina wrote:
>
> The output of the command "iptables-save" would be useful to us. As
> would an "ip addr" or "ifconfig -a", on BOTH the server and the firewall.
>
> The actual error messages would be useful as well.
>
> If you don't want to fix it, which would be contrary to the fact that
> you told us all about it, there are a number of other Linux or
> FreeBSD/OpenBSD firewall projects -- google can help you find the way.
> If you want to go commercial, Juniper/Netscreen, Cisco ASA/PIX, and
> checkpoint are quite common. I don't care for Watchguard, SonicWall,
> or other firewall vendors much.
>
>
>
> Chris Davies wrote:
>> Hello,
>> new to this place, so Hi everyone.
>>
>> I run a few servers on my network and am having problems with my
>> firewall.
>> I am finishing up my imap server but I can't connect to it, the error my
>> firewall spits out is that it is a
>> spoofed mac address (on the server side), I can connect to the local
>> address' but will not anywhere where it has to go through my fw
>> I run Debian 3.01(sarge) with Exim4, Dovecot imap w/maildir, also I have
>> 4 virtual IPs on this server, for intra(extra)nets.
>> My firewall is Astaro Security Linux 6.
>> My question is what is a good firewall these days, because I have about
>> had it with this one.
>>
>> Thanx
>> Chris
>>
>>
>
Message from log --->
2006:07:21-00:42:52 ulogd[1782]: IP-SPOOFING DROP: IN=eth0 OUT=
MAC=00:01:02:66:65:9a:00:11:09:84:f3:2c:08:00 SRC=192.168.2.105
DST=69.20.153.137 LEN=60 TOS=10 PREC=0x00 TTL=64 ID=42174 CE DF
PROTO=TCP SPT=59941 DPT=143 SEQ=1895368652 ACK=0 WINDOW=5840 SYN URGP=0
# Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
*nat
:AUTO_OUTPUT - [0:0]
:AUTO_POST - [0:0]
:AUTO_PRE - [0:0]
:PREROUTING ACCEPT [684764:90790281]
:POSTROUTING ACCEPT [810702:54559262]
:OUTPUT ACCEPT [38180:5648519]
:USR_OUTPUT - [0:0]
:USR_POST - [0:0]
:USR_PRE - [0:0]
-A PREROUTING -j AUTO_PRE
-A PREROUTING -j USR_PRE
-A POSTROUTING -j AUTO_POST
-A POSTROUTING -j USR_POST
-A OUTPUT -j AUTO_OUTPUT
-A OUTPUT -j USR_OUTPUT
-A USR_OUTPUT -d 69.20.153.137 -p tcp -m tcp --sport 1024:65535 --dport
80 -j DNAT --to-destination 192.168.1.110
-A USR_OUTPUT -d 69.20.153.128/255.255.255.240 -p tcp -m tcp --sport
1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
-A USR_OUTPUT -d 69.20.153.128/255.255.255.240 -p udp -m udp --sport
1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
-A USR_OUTPUT -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport 25
-j DNAT --to-destination 192.168.1.100
-A USR_OUTPUT -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport
6881 -j DNAT --to-destination 192.168.2.105
-A USR_OUTPUT -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport
6881 -j DNAT --to-destination 192.168.2.105
-A USR_OUTPUT -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport
4444 -j DNAT --to-destination 192.168.2.105
-A USR_POST -s 192.168.1.0/255.255.255.0 -o eth2 -j MASQUERADE
-A USR_POST -s 192.168.2.0/255.255.255.0 -o eth2 -j MASQUERADE
-A USR_PRE -d 69.20.153.137 -p tcp -m tcp --sport 1024:65535 --dport 80
-j DNAT --to-destination 192.168.1.110
-A USR_PRE -d 69.20.153.128/255.255.255.240 -p tcp -m tcp --sport
1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
-A USR_PRE -d 69.20.153.128/255.255.255.240 -p udp -m udp --sport
1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
-A USR_PRE -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport 25 -j
DNAT --to-destination 192.168.1.100
-A USR_PRE -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport 6881
-j DNAT --to-destination 192.168.2.105
-A USR_PRE -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport 6881
-j DNAT --to-destination 192.168.2.105
-A USR_PRE -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport 4444
-j DNAT --to-destination 192.168.2.105
COMMIT
# Completed on Fri Jul 21 01:30:07 2006
# Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
*ips
:PREROUTING ACCEPT [85268420:58804227617]
:INPUT ACCEPT [71920:73703193]
:FORWARD ACCEPT [18409:10865526]
:OUTPUT ACCEPT [51149:7744091]
:POSTROUTING ACCEPT [85257053:58524784864]
COMMIT
# Completed on Fri Jul 21 01:30:07 2006
# Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
*mangle
:INVALID_PKT - [0:0]
:POLICY_ROUTING_OUT - [0:0]
:POLICY_ROUTING_PRE - [0:0]
:PREROUTING ACCEPT [85268432:58804228448]
:INPUT ACCEPT [6933573:1948839077]
:FORWARD ACCEPT [78333312:56855205229]
:OUTPUT ACCEPT [7027235:1676138656]
:POSTROUTING ACCEPT [67282614:56180797304]
:SET_PRIO_HIGH - [0:0]
:SET_PRIO_LOW - [0:0]
-A INVALID_PKT -j ULOG --ulog-prefix "INVALID_PKT: " --ulog-cprange 40
--ulog-qthreshold 50
-A INVALID_PKT -j DROP
-A PREROUTING -p icmp -m length --length 20:21 -j INVALID_PKT
-A PREROUTING -p icmp -m icmp --icmp-type 5 -j ULOG --ulog-prefix "ICMP
REDIRECT: " --ulog-cprange 40 --ulog-qthreshold 50
-A PREROUTING -j POLICY_ROUTING_PRE
-A PREROUTING -p tcp -m length --length 20:39 -j INVALID_PKT
-A PREROUTING -p udp -m length --length 20:27 -j INVALID_PKT
-A PREROUTING -p icmp -m length --length 20:21 -j INVALID_PKT
-A PREROUTING -m state --state RELATED -m helper --helper "ftp" -j ULOG
--ulog-prefix "FTP_DATA: " --ulog-cprange 40 --ulog-qthreshold 50
-A PREROUTING -s ! 127.0.0.0/255.0.0.0 -d ! 127.0.0.0/255.0.0.0 -p udp
-m udp --sport 53:65535 --dport 53 -m u32 --u32
0x0>>0x16&0x3c@0x8>>0xf&0x1=0x0 -j ULOG --ulog-prefix "DNS_REQUEST: "
--ulog-cprange 40 --ulog-qthreshold 50
-A PREROUTING -s ! 127.0.0.0/255.0.0.0 -d ! 127.0.0.0/255.0.0.0 -p tcp
-m tcp --sport 53:65535 --dport 53 -m u32 --u32
0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0>>0xf&0x1=0x0 -j ULOG --ulog-prefix
"DNS_REQUEST: " --ulog-cprange 40 --ulog-qthreshold 50
-A OUTPUT -j POLICY_ROUTING_OUT
-A POSTROUTING -o lo -j ACCEPT
-A POSTROUTING -p tcp -m tcp --tcp-flags ACK ACK -m length --length
50:100 -j SET_PRIO_HIGH
-A POSTROUTING -m tos --tos Minimize-Delay -j SET_PRIO_HIGH
-A POSTROUTING -p icmp -j SET_PRIO_HIGH
-A SET_PRIO_HIGH -j CLASSIFY --set-class 0000:0008
-A SET_PRIO_HIGH -j ACCEPT
-A SET_PRIO_LOW -j CLASSIFY --set-class 0000:0005
-A SET_PRIO_LOW -j ACCEPT
COMMIT
# Completed on Fri Jul 21 01:30:07 2006
# Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
*raw
:ICMP_FLOOD - [0:0]
:ICMP_FLOOD_DROP - [0:0]
:ICMP_FLOOD_DST - [0:0]
:ICMP_FLOOD_SRC - [0:0]
:LOCAL_TRAFFIC - [0:0]
:PREROUTING ACCEPT [144:6172]
:OUTPUT ACCEPT [913592:160544115]
:SYN_FLOOD - [0:0]
:SYN_FLOOD_DROP - [0:0]
:SYN_FLOOD_DST - [0:0]
:SYN_FLOOD_SRC - [0:0]
:UDP_FLOOD - [0:0]
:UDP_FLOOD_DROP - [0:0]
:UDP_FLOOD_DST - [0:0]
:UDP_FLOOD_SRC - [0:0]
-A ICMP_FLOOD -j ICMP_FLOOD_SRC
-A ICMP_FLOOD_DROP -m limit --limit 5/sec -j ULOG --ulog-prefix
"ICMP_FLOOD: " --ulog-cprange 40 --ulog-qthreshold 50
-A ICMP_FLOOD_DROP -j DROP
-A ICMP_FLOOD_DST -m hashlimit --hashlimit 5/sec --hashlimit-burst 2
--hashlimit-mode dstip --hashlimit-name ICMP_FLOOD_DST -j ACCEPT
-A ICMP_FLOOD_DST -j ICMP_FLOOD_DROP
-A ICMP_FLOOD_SRC -m hashlimit --hashlimit 5/sec --hashlimit-burst 2
--hashlimit-mode srcip --hashlimit-name ICMP_FLOOD_SRC -j ICMP_FLOOD_DST
-A ICMP_FLOOD_SRC -j ICMP_FLOOD_DROP
-A LOCAL_TRAFFIC -j NOTRACK
-A LOCAL_TRAFFIC -j ACCEPT
-A LOCAL_TRAFFIC -j NOTRACK
-A LOCAL_TRAFFIC -j ACCEPT
-A PREROUTING -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j LOCAL_TRAFFIC
-A PREROUTING -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j LOCAL_TRAFFIC
-A PREROUTING -p tcp -j SYN_FLOOD
-A PREROUTING -p udp -j UDP_FLOOD
-A PREROUTING -p icmp -j ICMP_FLOOD
-A OUTPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j LOCAL_TRAFFIC
-A OUTPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j LOCAL_TRAFFIC
-A SYN_FLOOD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A SYN_FLOOD -j SYN_FLOOD_SRC
-A SYN_FLOOD_DROP -m limit --limit 5/sec -j ULOG --ulog-prefix
"SYN_FLOOD: " --ulog-cprange 40 --ulog-qthreshold 50
-A SYN_FLOOD_DROP -j DROP
-A SYN_FLOOD_DST -m hashlimit --hashlimit 200/sec --hashlimit-burst 30
--hashlimit-mode dstip --hashlimit-name SYN_FLOOD_DST -j ACCEPT
-A SYN_FLOOD_DST -j SYN_FLOOD_DROP
-A SYN_FLOOD_SRC -m hashlimit --hashlimit 100/sec --hashlimit-burst 30
--hashlimit-mode srcip --hashlimit-name SYN_FLOOD_SRC -j SYN_FLOOD_DST
-A SYN_FLOOD_SRC -j SYN_FLOOD_DROP
-A UDP_FLOOD -j UDP_FLOOD_SRC
-A UDP_FLOOD_DROP -m limit --limit 5/sec -j ULOG --ulog-prefix
"UDP_FLOOD: " --ulog-cprange 40 --ulog-qthreshold 50
-A UDP_FLOOD_DROP -j DROP
-A UDP_FLOOD_DST -m hashlimit --hashlimit 303/sec --hashlimit-burst 60
--hashlimit-mode dstip --hashlimit-name UDP_FLOOD_DST -j ACCEPT
-A UDP_FLOOD_DST -j UDP_FLOOD_DROP
-A UDP_FLOOD_SRC -m hashlimit --hashlimit 200/sec --hashlimit-burst 60
--hashlimit-mode srcip --hashlimit-name UDP_FLOOD_SRC -j UDP_FLOOD_DST
-A UDP_FLOOD_SRC -j UDP_FLOOD_DROP
COMMIT
# Completed on Fri Jul 21 01:30:07 2006
# Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
*filter
:AUTO_FORWARD - [0:0]
:AUTO_INPUT - [0:0]
:AUTO_OUTPUT - [0:0]
:HA - [0:0]
:INPUT DROP [3:534]
:FORWARD DROP [0:0]
:INVALID_PKT - [0:0]
:LOGACCEPT - [0:0]
:LOGDROP - [0:0]
:LOGREJECT - [0:0]
:OUTPUT DROP [4:224]
:PSD_ACTION - [0:0]
:PSD_MATCH - [0:0]
:SANITY_CHECKS - [0:0]
:SPOOFING_PROTECTION - [0:0]
:SPOOF_DROP - [0:0]
:STRICT_TCP_STATE - [0:0]
:USR_FORWARD - [0:0]
:USR_INPUT - [0:0]
:USR_OUTPUT - [0:0]
-A AUTO_FORWARD -p icmp -m icmp --icmp-type 8/0 -j CONFIRMED
-A AUTO_FORWARD -p icmp -m icmp --icmp-type 0/0 -j CONFIRMED
-A AUTO_INPUT -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport 1:65535
--dport 22 -j CONFIRMED
-A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 22 -j LOGDROP
-A AUTO_INPUT -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 443 -j CONFIRMED
-A AUTO_INPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -j LOGDROP
-A AUTO_INPUT -p tcp -m tcp --sport 53:65535 --dport 53 -j CONFIRMED
-A AUTO_INPUT -p udp -m udp --sport 53:65535 --dport 53 -j CONFIRMED
-A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 25 -j LOGDROP
-A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 3840 -j CONFIRMED
-A AUTO_OUTPUT -d 216.180.176.3 -p tcp -m tcp --sport 53:65535 --dport
53 -m owner --cmd-owner named -j CONFIRMED
-A AUTO_OUTPUT -d 216.180.176.3 -p udp -m udp --sport 53:65535 --dport
53 -m owner --cmd-owner named -j CONFIRMED
-A AUTO_OUTPUT -d 69.20.128.5 -p tcp -m tcp --sport 53:65535 --dport 53
-m owner --cmd-owner named -j CONFIRMED
-A AUTO_OUTPUT -d 69.20.128.5 -p udp -m udp --sport 53:65535 --dport 53
-m owner --cmd-owner named -j CONFIRMED
-A AUTO_OUTPUT -d 69.20.129.5 -p tcp -m tcp --sport 53:65535 --dport 53
-m owner --cmd-owner named -j CONFIRMED
-A AUTO_OUTPUT -d 69.20.129.5 -p udp -m udp --sport 53:65535 --dport 53
-m owner --cmd-owner named -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 25 -m owner
--cmd-owner exim -j CONFIRMED
-A AUTO_OUTPUT -d 192.168.1.100 -p udp -m udp --sport 1:65535 --dport
514 -m owner --cmd-owner syslog-ng -j CONFIRMED
-A AUTO_OUTPUT -p udp -m udp --sport 1024:65535 --dport 33000:34000 -m
owner --cmd-owner netselect -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -m owner
--cmd-owner aus -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 443 -m owner
--cmd-owner aus -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -m owner
--cmd-owner pattern_aus -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 443 -m owner
--cmd-owner pattern_aus -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 21 -m owner
--cmd-owner wget -j CONFIRMED
-A INPUT -i lo -j ACCEPT
-A INPUT -m confirmed ERROR: UNKNOWN CONNMARK MATCH MODE -j ACCEPT
-A INPUT -m state --state RELATED -j CONFIRMED
-A INPUT -j SPOOFING_PROTECTION
-A INPUT -j HA
-A INPUT -j PSD_MATCH
-A INPUT -j SANITY_CHECKS
-A INPUT -j AUTO_INPUT
-A INPUT -j USR_INPUT
-A INPUT -j LOGDROP
-A FORWARD -m confirmed ERROR: UNKNOWN CONNMARK MATCH MODE -j ACCEPT
-A FORWARD -m state --state RELATED -j CONFIRMED
-A FORWARD -j SPOOFING_PROTECTION
-A FORWARD -j PSD_MATCH
-A FORWARD -j SANITY_CHECKS
-A FORWARD -j AUTO_FORWARD
-A FORWARD -j USR_FORWARD
-A FORWARD -j LOGDROP
-A INVALID_PKT -j ULOG --ulog-prefix "INVALID_PKT: " --ulog-cprange 40
--ulog-qthreshold 50
-A INVALID_PKT -j DROP
-A LOGACCEPT -j ULOG --ulog-prefix "ACCEPT: " --ulog-cprange 40
--ulog-qthreshold 50
-A LOGACCEPT -j CONFIRMED
-A LOGDROP -j ULOG --ulog-prefix "DROP: " --ulog-cprange 40
--ulog-qthreshold 50
-A LOGDROP -j DROP
-A LOGREJECT -j ULOG --ulog-prefix "REJECT: " --ulog-cprange 40
--ulog-qthreshold 50
-A LOGREJECT -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m confirmed ERROR: UNKNOWN CONNMARK MATCH MODE -j ACCEPT
-A OUTPUT -m state --state RELATED -j CONFIRMED
-A OUTPUT -j HA
-A OUTPUT -j SANITY_CHECKS
-A OUTPUT -j AUTO_OUTPUT
-A OUTPUT -j USR_OUTPUT
-A OUTPUT -j LOGDROP
-A PSD_ACTION -j ULOG --ulog-prefix "PORTSCAN: " --ulog-cprange 40
--ulog-qthreshold 50
-A PSD_ACTION -j DROP
-A PSD_MATCH -m psd --psd-weight-threshold 21 --psd-delay-threshold 300
--psd-lo-ports-weight 3 --psd-hi-ports-weight 1 -j PSD_ACTION
-A SANITY_CHECKS -p tcp -m tcp --sport 21 --dport 1:65535 --tcp-flags
SYN,RST,ACK RST -m state --state INVALID -j ACCEPT
-A SANITY_CHECKS -p tcp -m state --state NEW -j STRICT_TCP_STATE
-A SANITY_CHECKS -p tcp -m tcp --sport 1:65535 --dport 21 -m state
--state INVALID -j REJECT --reject-with tcp-reset
-A SANITY_CHECKS -p tcp -m state --state INVALID -j INVALID_PKT
-A SPOOFING_PROTECTION -s 192.168.2.5 -i eth0 -j SPOOF_DROP
-A SPOOFING_PROTECTION -d 192.168.2.5 -i ! eth0 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 192.168.1.0/255.255.255.0 -i eth0 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 69.20.153.128/255.255.255.240 -i eth0 -j
SPOOF_DROP
-A SPOOFING_PROTECTION -s 192.168.1.1 -i eth1 -j SPOOF_DROP
-A SPOOFING_PROTECTION -d 192.168.1.1 -i ! eth1 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 192.168.2.0/255.255.255.0 -i eth1 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 69.20.153.128/255.255.255.240 -i eth1 -j
SPOOF_DROP
-A SPOOFING_PROTECTION -s 69.20.153.137 -i eth2 -j SPOOF_DROP
-A SPOOFING_PROTECTION -d 69.20.153.137 -i ! eth2 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 192.168.2.0/255.255.255.0 -i eth2 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 192.168.1.0/255.255.255.0 -i eth2 -j SPOOF_DROP
-A SPOOF_DROP -j ULOG --ulog-prefix "IP-SPOOFING DROP: " --ulog-cprange
40 --ulog-qthreshold 50
-A SPOOF_DROP -j DROP
-A STRICT_TCP_STATE -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN
-A STRICT_TCP_STATE -p tcp -j INVALID_PKT
-A STRICT_TCP_STATE -p tcp -j DROP
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 80 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 20:21 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 21 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 443 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1:65535 --dport 110 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1:65535 --dport 25 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 23 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.100 -p tcp -m
tcp --sport 1024:65535 --dport 143 -j CONFIRMED
-A USR_FORWARD -p tcp -m tcp --sport 1:65535 --dport 53 -j CONFIRMED
-A USR_FORWARD -p udp -m udp --sport 1:65535 --dport 53 -j CONFIRMED
-A USR_FORWARD -d 192.168.1.100 -p tcp -m tcp --sport 1:65535 --dport 25
-j CONFIRMED
-A USR_FORWARD -s 192.168.1.100 -p tcp -m tcp --sport 1:65535 --dport 25
-j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1:65535 --dport 110 -j CONFIRMED
-A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1:65535 --dport 110 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1:65535 --dport 2703 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p udp -m udp --sport
1:65535 --dport 2703 -j CONFIRMED
-A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1:65535 --dport 2703 -j CONFIRMED
-A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p udp -m udp --sport
1:65535 --dport 2703 -j CONFIRMED
-A USR_FORWARD -d 192.168.1.100 -p tcp -m tcp --sport 1024:65535 --dport
143 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.100 -p tcp -m tcp --sport 1024:65535 --dport
143 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 80 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 20:21 -j CONFIRMED
-A USR_FORWARD -d 192.168.1.110 -p tcp -m tcp --sport 1024:65535 --dport
80 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 443 -j CONFIRMED
-A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 443 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --dport 22 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 25 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 10000 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 10000 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1024:65535 --dport 80 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 8000:8999 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 8000:8999 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 5500:5502 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 5500:5502 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 3306 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 3306 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.105 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.105 -p udp -m udp --sport 1:65535 --dport
4444 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 3001:3305 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 3001:3305 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 4441 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 4441 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
4242 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
4242 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
4441 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
4441 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 2100:2702 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 2100:2702 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 3307:3999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 3307:3999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 1024:2099 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 1024:2099 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 2704:2999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 2704:2999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 3001:3305 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 3001:3305 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 4441 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 4441 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
4242 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
4242 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
4441 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
4441 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 2100:2702 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 2100:2702 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 3307:3999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 3307:3999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 1024:2099 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 1024:2099 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 2704:2999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 2704:2999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -p tcp -m tcp --sport 123 --dport 123 -j CONFIRMED
-A USR_FORWARD -p udp -m udp --sport 123 --dport 123 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.2.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 2049 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.2.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 2049 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 2049 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 2049 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 514 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 514 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 5000 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 5000 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 514 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1024:65535 --dport 389 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1024:65535 --dport 389 -j CONFIRMED
-A USR_INPUT -d 192.168.2.255 -j DROP
-A USR_INPUT -d 192.168.1.255 -j DROP
-A USR_INPUT -d 255.255.255.255 -j DROP
COMMIT
# Completed on Fri Jul 21 01:30:07 2006
ip addr --->
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:01:02:66:65:9a brd ff:ff:ff:ff:ff:ff
inet 192.168.2.5/24 brd 192.168.2.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:08:c7:5b:26:09 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:50:8b:0e:07:a2 brd ff:ff:ff:ff:ff:ff
inet 69.20.153.137/28 brd 69.20.153.143 scope global eth2
********* end
ifconfig -a ----->
eth0 Link encap:Ethernet HWaddr 00:01:02:66:65:9A
inet addr:192.168.2.5 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:43248768 errors:4 dropped:0 overruns:0 frame:4
TX packets:35972974 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3994495514 (3809.4 Mb) TX bytes:2463271557 (2349.1 Mb)
Interrupt:169 Base address:0xdc00
eth1 Link encap:Ethernet HWaddr 00:08:C7:5B:26:09
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6956097 errors:0 dropped:0 overruns:0 frame:0
TX packets:10514182 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:111359643 (106.2 Mb) TX bytes:2215921769 (2113.2 Mb)
eth2 Link encap:Ethernet HWaddr 00:50:8B:0E:07:A2
inet addr:69.20.153.137 Bcast:69.20.153.143 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:30327796 errors:0 dropped:0 overruns:0 frame:0
TX packets:32818577 errors:0 dropped:0 overruns:0 carrier:0
collisions:294358 txqueuelen:1000
RX bytes:2949179609 (2812.5 Mb) TX bytes:1976098120 (1884.5 Mb)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:6116295 errors:0 dropped:0 overruns:0 frame:0
TX packets:6116295 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1516135054 (1445.8 Mb) TX bytes:1516135054 (1445.8 Mb)
*************end
The purpose of listing my current config was to give anyone else an idea
of what i am now using (like to suggest just a iptables based solution
vs a larger cisco pix box, of witch would be over kill for my use) I
would like to switch to a different one but I would like some opinions
of what you have used and are happy with Vs getting a beta and having
security breaches, or if you could help me fix this one I would be very
appreciative.
Chris
Reply to:
- References:
- Firewall
- From: Chris Davies <davichri@cd-tech.biz>
- Re: Firewall
- From: Jesse Molina <jesse@opendreams.net>