Re: Firewall
This is very very useful information here.
The error message tells us detailed info that we need to know about what
packet was dropped, that you did not want it dropped, and we have the
iptables configuration.
Here is the important part of the error message details;
IP-SPOOFING DROP: IN=eth0
SRC=192.168.2.105
DST=69.20.153.137
PROTO=TCP SPT=59941 DPT=143
Okay, now here is the configuration that generated this iptables packet
drop, and chain it came from;
-A SPOOF_DROP -j ULOG --ulog-prefix "IP-SPOOFING DROP: " --ulog-cprange
40 --ulog-qthreshold 50
-A SPOOF_DROP -j DROP
-A SPOOFING_PROTECTION -s 192.168.2.5 -i eth0 -j SPOOF_DROP
-A SPOOFING_PROTECTION -d 192.168.2.5 -i ! eth0 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 192.168.1.0/255.255.255.0 -i eth0 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 69.20.153.128/255.255.255.240 -i eth0 -j
SPOOF_DROP
-A SPOOFING_PROTECTION -s 192.168.1.1 -i eth1 -j SPOOF_DROP
-A SPOOFING_PROTECTION -d 192.168.1.1 -i ! eth1 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 192.168.2.0/255.255.255.0 -i eth1 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 69.20.153.128/255.255.255.240 -i eth1 -j
SPOOF_DROP
-A SPOOFING_PROTECTION -s 69.20.153.137 -i eth2 -j SPOOF_DROP
-A SPOOFING_PROTECTION -d 69.20.153.137 -i ! eth2 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 192.168.2.0/255.255.255.0 -i eth2 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 192.168.1.0/255.255.255.0 -i eth2 -j SPOOF_DROP
Finally, here is the offending line that our packet matches, which is
causing it to be dropped;
"-A SPOOFING_PROTECTION -d 69.20.153.137 -i ! eth2 -j SPOOF_DROP"
Yep, that packet is coming in on eth0, going to 69.20.153.137. That's
perfectly sane, but the iptables rules are not. I think they assume
that the 192.168.2.0/24 network will access the firewall host only on
the same network interface, which is NOT a good assumption. Your IMAP
server has it's DNS entry to use it's public facing port.
You need to remove the offending rule and your problems may go away.
That said, make sure to go through your firewall UI to do it -- don't
mess with iptables directly unless the firewall vendor/project says you
may do so, or you want to just use iptables in the future.
Also, you may have other issues due to the NAT/MASQ you have going on
there. I don't know if the firewall trying to talk to itself through a
NAT/MASQ session is going to work.
Another option that might resolve your problems is to have a split DNS
between the Internet and your inside networks (I don't like this
particular solution myself, but it's what many might do).
My condolences on your complicated problem. You are going to need to
meditate on this one to get it figured out. Good luck though. It can
be done.
Chris Davies wrote:
Jesse Molina wrote:
The output of the command "iptables-save" would be useful to us. As
would an "ip addr" or "ifconfig -a", on BOTH the server and the firewall.
The actual error messages would be useful as well.
If you don't want to fix it, which would be contrary to the fact that
you told us all about it, there are a number of other Linux or
FreeBSD/OpenBSD firewall projects -- google can help you find the way.
If you want to go commercial, Juniper/Netscreen, Cisco ASA/PIX, and
checkpoint are quite common. I don't care for Watchguard, SonicWall,
or other firewall vendors much.
Chris Davies wrote:
Hello,
new to this place, so Hi everyone.
I run a few servers on my network and am having problems with my
firewall.
I am finishing up my imap server but I can't connect to it, the error my
firewall spits out is that it is a
spoofed mac address (on the server side), I can connect to the local
address' but will not anywhere where it has to go through my fw
I run Debian 3.01(sarge) with Exim4, Dovecot imap w/maildir, also I have
4 virtual IPs on this server, for intra(extra)nets.
My firewall is Astaro Security Linux 6.
My question is what is a good firewall these days, because I have about
had it with this one.
Thanx
Chris
Message from log --->
2006:07:21-00:42:52 ulogd[1782]: IP-SPOOFING DROP: IN=eth0 OUT=
MAC=00:01:02:66:65:9a:00:11:09:84:f3:2c:08:00 SRC=192.168.2.105
DST=69.20.153.137 LEN=60 TOS=10 PREC=0x00 TTL=64 ID=42174 CE DF
PROTO=TCP SPT=59941 DPT=143 SEQ=1895368652 ACK=0 WINDOW=5840 SYN URGP=0
# Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
*nat
:AUTO_OUTPUT - [0:0]
:AUTO_POST - [0:0]
:AUTO_PRE - [0:0]
:PREROUTING ACCEPT [684764:90790281]
:POSTROUTING ACCEPT [810702:54559262]
:OUTPUT ACCEPT [38180:5648519]
:USR_OUTPUT - [0:0]
:USR_POST - [0:0]
:USR_PRE - [0:0]
-A PREROUTING -j AUTO_PRE
-A PREROUTING -j USR_PRE
-A POSTROUTING -j AUTO_POST
-A POSTROUTING -j USR_POST
-A OUTPUT -j AUTO_OUTPUT
-A OUTPUT -j USR_OUTPUT
-A USR_OUTPUT -d 69.20.153.137 -p tcp -m tcp --sport 1024:65535 --dport
80 -j DNAT --to-destination 192.168.1.110
-A USR_OUTPUT -d 69.20.153.128/255.255.255.240 -p tcp -m tcp --sport
1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
-A USR_OUTPUT -d 69.20.153.128/255.255.255.240 -p udp -m udp --sport
1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
-A USR_OUTPUT -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport 25
-j DNAT --to-destination 192.168.1.100
-A USR_OUTPUT -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport
6881 -j DNAT --to-destination 192.168.2.105
-A USR_OUTPUT -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport
6881 -j DNAT --to-destination 192.168.2.105
-A USR_OUTPUT -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport
4444 -j DNAT --to-destination 192.168.2.105
-A USR_POST -s 192.168.1.0/255.255.255.0 -o eth2 -j MASQUERADE
-A USR_POST -s 192.168.2.0/255.255.255.0 -o eth2 -j MASQUERADE
-A USR_PRE -d 69.20.153.137 -p tcp -m tcp --sport 1024:65535 --dport 80
-j DNAT --to-destination 192.168.1.110
-A USR_PRE -d 69.20.153.128/255.255.255.240 -p tcp -m tcp --sport
1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
-A USR_PRE -d 69.20.153.128/255.255.255.240 -p udp -m udp --sport
1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
-A USR_PRE -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport 25 -j
DNAT --to-destination 192.168.1.100
-A USR_PRE -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport 6881
-j DNAT --to-destination 192.168.2.105
-A USR_PRE -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport 6881
-j DNAT --to-destination 192.168.2.105
-A USR_PRE -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport 4444
-j DNAT --to-destination 192.168.2.105
COMMIT
# Completed on Fri Jul 21 01:30:07 2006
# Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
*ips
:PREROUTING ACCEPT [85268420:58804227617]
:INPUT ACCEPT [71920:73703193]
:FORWARD ACCEPT [18409:10865526]
:OUTPUT ACCEPT [51149:7744091]
:POSTROUTING ACCEPT [85257053:58524784864]
COMMIT
# Completed on Fri Jul 21 01:30:07 2006
# Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
*mangle
:INVALID_PKT - [0:0]
:POLICY_ROUTING_OUT - [0:0]
:POLICY_ROUTING_PRE - [0:0]
:PREROUTING ACCEPT [85268432:58804228448]
:INPUT ACCEPT [6933573:1948839077]
:FORWARD ACCEPT [78333312:56855205229]
:OUTPUT ACCEPT [7027235:1676138656]
:POSTROUTING ACCEPT [67282614:56180797304]
:SET_PRIO_HIGH - [0:0]
:SET_PRIO_LOW - [0:0]
-A INVALID_PKT -j ULOG --ulog-prefix "INVALID_PKT: " --ulog-cprange 40
--ulog-qthreshold 50
-A INVALID_PKT -j DROP
-A PREROUTING -p icmp -m length --length 20:21 -j INVALID_PKT
-A PREROUTING -p icmp -m icmp --icmp-type 5 -j ULOG --ulog-prefix "ICMP
REDIRECT: " --ulog-cprange 40 --ulog-qthreshold 50
-A PREROUTING -j POLICY_ROUTING_PRE
-A PREROUTING -p tcp -m length --length 20:39 -j INVALID_PKT
-A PREROUTING -p udp -m length --length 20:27 -j INVALID_PKT
-A PREROUTING -p icmp -m length --length 20:21 -j INVALID_PKT
-A PREROUTING -m state --state RELATED -m helper --helper "ftp" -j ULOG
--ulog-prefix "FTP_DATA: " --ulog-cprange 40 --ulog-qthreshold 50
-A PREROUTING -s ! 127.0.0.0/255.0.0.0 -d ! 127.0.0.0/255.0.0.0 -p udp
-m udp --sport 53:65535 --dport 53 -m u32 --u32
0x0>>0x16&0x3c@0x8>>0xf&0x1=0x0 -j ULOG --ulog-prefix "DNS_REQUEST: "
--ulog-cprange 40 --ulog-qthreshold 50
-A PREROUTING -s ! 127.0.0.0/255.0.0.0 -d ! 127.0.0.0/255.0.0.0 -p tcp
-m tcp --sport 53:65535 --dport 53 -m u32 --u32
0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0>>0xf&0x1=0x0 -j ULOG --ulog-prefix
"DNS_REQUEST: " --ulog-cprange 40 --ulog-qthreshold 50
-A OUTPUT -j POLICY_ROUTING_OUT
-A POSTROUTING -o lo -j ACCEPT
-A POSTROUTING -p tcp -m tcp --tcp-flags ACK ACK -m length --length
50:100 -j SET_PRIO_HIGH
-A POSTROUTING -m tos --tos Minimize-Delay -j SET_PRIO_HIGH
-A POSTROUTING -p icmp -j SET_PRIO_HIGH
-A SET_PRIO_HIGH -j CLASSIFY --set-class 0000:0008
-A SET_PRIO_HIGH -j ACCEPT
-A SET_PRIO_LOW -j CLASSIFY --set-class 0000:0005
-A SET_PRIO_LOW -j ACCEPT
COMMIT
# Completed on Fri Jul 21 01:30:07 2006
# Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
*raw
:ICMP_FLOOD - [0:0]
:ICMP_FLOOD_DROP - [0:0]
:ICMP_FLOOD_DST - [0:0]
:ICMP_FLOOD_SRC - [0:0]
:LOCAL_TRAFFIC - [0:0]
:PREROUTING ACCEPT [144:6172]
:OUTPUT ACCEPT [913592:160544115]
:SYN_FLOOD - [0:0]
:SYN_FLOOD_DROP - [0:0]
:SYN_FLOOD_DST - [0:0]
:SYN_FLOOD_SRC - [0:0]
:UDP_FLOOD - [0:0]
:UDP_FLOOD_DROP - [0:0]
:UDP_FLOOD_DST - [0:0]
:UDP_FLOOD_SRC - [0:0]
-A ICMP_FLOOD -j ICMP_FLOOD_SRC
-A ICMP_FLOOD_DROP -m limit --limit 5/sec -j ULOG --ulog-prefix
"ICMP_FLOOD: " --ulog-cprange 40 --ulog-qthreshold 50
-A ICMP_FLOOD_DROP -j DROP
-A ICMP_FLOOD_DST -m hashlimit --hashlimit 5/sec --hashlimit-burst 2
--hashlimit-mode dstip --hashlimit-name ICMP_FLOOD_DST -j ACCEPT
-A ICMP_FLOOD_DST -j ICMP_FLOOD_DROP
-A ICMP_FLOOD_SRC -m hashlimit --hashlimit 5/sec --hashlimit-burst 2
--hashlimit-mode srcip --hashlimit-name ICMP_FLOOD_SRC -j ICMP_FLOOD_DST
-A ICMP_FLOOD_SRC -j ICMP_FLOOD_DROP
-A LOCAL_TRAFFIC -j NOTRACK
-A LOCAL_TRAFFIC -j ACCEPT
-A LOCAL_TRAFFIC -j NOTRACK
-A LOCAL_TRAFFIC -j ACCEPT
-A PREROUTING -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j LOCAL_TRAFFIC
-A PREROUTING -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j LOCAL_TRAFFIC
-A PREROUTING -p tcp -j SYN_FLOOD
-A PREROUTING -p udp -j UDP_FLOOD
-A PREROUTING -p icmp -j ICMP_FLOOD
-A OUTPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j LOCAL_TRAFFIC
-A OUTPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j LOCAL_TRAFFIC
-A SYN_FLOOD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A SYN_FLOOD -j SYN_FLOOD_SRC
-A SYN_FLOOD_DROP -m limit --limit 5/sec -j ULOG --ulog-prefix
"SYN_FLOOD: " --ulog-cprange 40 --ulog-qthreshold 50
-A SYN_FLOOD_DROP -j DROP
-A SYN_FLOOD_DST -m hashlimit --hashlimit 200/sec --hashlimit-burst 30
--hashlimit-mode dstip --hashlimit-name SYN_FLOOD_DST -j ACCEPT
-A SYN_FLOOD_DST -j SYN_FLOOD_DROP
-A SYN_FLOOD_SRC -m hashlimit --hashlimit 100/sec --hashlimit-burst 30
--hashlimit-mode srcip --hashlimit-name SYN_FLOOD_SRC -j SYN_FLOOD_DST
-A SYN_FLOOD_SRC -j SYN_FLOOD_DROP
-A UDP_FLOOD -j UDP_FLOOD_SRC
-A UDP_FLOOD_DROP -m limit --limit 5/sec -j ULOG --ulog-prefix
"UDP_FLOOD: " --ulog-cprange 40 --ulog-qthreshold 50
-A UDP_FLOOD_DROP -j DROP
-A UDP_FLOOD_DST -m hashlimit --hashlimit 303/sec --hashlimit-burst 60
--hashlimit-mode dstip --hashlimit-name UDP_FLOOD_DST -j ACCEPT
-A UDP_FLOOD_DST -j UDP_FLOOD_DROP
-A UDP_FLOOD_SRC -m hashlimit --hashlimit 200/sec --hashlimit-burst 60
--hashlimit-mode srcip --hashlimit-name UDP_FLOOD_SRC -j UDP_FLOOD_DST
-A UDP_FLOOD_SRC -j UDP_FLOOD_DROP
COMMIT
# Completed on Fri Jul 21 01:30:07 2006
# Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
*filter
:AUTO_FORWARD - [0:0]
:AUTO_INPUT - [0:0]
:AUTO_OUTPUT - [0:0]
:HA - [0:0]
:INPUT DROP [3:534]
:FORWARD DROP [0:0]
:INVALID_PKT - [0:0]
:LOGACCEPT - [0:0]
:LOGDROP - [0:0]
:LOGREJECT - [0:0]
:OUTPUT DROP [4:224]
:PSD_ACTION - [0:0]
:PSD_MATCH - [0:0]
:SANITY_CHECKS - [0:0]
:SPOOFING_PROTECTION - [0:0]
:SPOOF_DROP - [0:0]
:STRICT_TCP_STATE - [0:0]
:USR_FORWARD - [0:0]
:USR_INPUT - [0:0]
:USR_OUTPUT - [0:0]
-A AUTO_FORWARD -p icmp -m icmp --icmp-type 8/0 -j CONFIRMED
-A AUTO_FORWARD -p icmp -m icmp --icmp-type 0/0 -j CONFIRMED
-A AUTO_INPUT -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport 1:65535
--dport 22 -j CONFIRMED
-A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 22 -j LOGDROP
-A AUTO_INPUT -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 443 -j CONFIRMED
-A AUTO_INPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -j LOGDROP
-A AUTO_INPUT -p tcp -m tcp --sport 53:65535 --dport 53 -j CONFIRMED
-A AUTO_INPUT -p udp -m udp --sport 53:65535 --dport 53 -j CONFIRMED
-A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 25 -j LOGDROP
-A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 3840 -j CONFIRMED
-A AUTO_OUTPUT -d 216.180.176.3 -p tcp -m tcp --sport 53:65535 --dport
53 -m owner --cmd-owner named -j CONFIRMED
-A AUTO_OUTPUT -d 216.180.176.3 -p udp -m udp --sport 53:65535 --dport
53 -m owner --cmd-owner named -j CONFIRMED
-A AUTO_OUTPUT -d 69.20.128.5 -p tcp -m tcp --sport 53:65535 --dport 53
-m owner --cmd-owner named -j CONFIRMED
-A AUTO_OUTPUT -d 69.20.128.5 -p udp -m udp --sport 53:65535 --dport 53
-m owner --cmd-owner named -j CONFIRMED
-A AUTO_OUTPUT -d 69.20.129.5 -p tcp -m tcp --sport 53:65535 --dport 53
-m owner --cmd-owner named -j CONFIRMED
-A AUTO_OUTPUT -d 69.20.129.5 -p udp -m udp --sport 53:65535 --dport 53
-m owner --cmd-owner named -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 25 -m owner
--cmd-owner exim -j CONFIRMED
-A AUTO_OUTPUT -d 192.168.1.100 -p udp -m udp --sport 1:65535 --dport
514 -m owner --cmd-owner syslog-ng -j CONFIRMED
-A AUTO_OUTPUT -p udp -m udp --sport 1024:65535 --dport 33000:34000 -m
owner --cmd-owner netselect -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -m owner
--cmd-owner aus -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 443 -m owner
--cmd-owner aus -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -m owner
--cmd-owner pattern_aus -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 443 -m owner
--cmd-owner pattern_aus -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 21 -m owner
--cmd-owner wget -j CONFIRMED
-A INPUT -i lo -j ACCEPT
-A INPUT -m confirmed ERROR: UNKNOWN CONNMARK MATCH MODE -j ACCEPT
-A INPUT -m state --state RELATED -j CONFIRMED
-A INPUT -j SPOOFING_PROTECTION
-A INPUT -j HA
-A INPUT -j PSD_MATCH
-A INPUT -j SANITY_CHECKS
-A INPUT -j AUTO_INPUT
-A INPUT -j USR_INPUT
-A INPUT -j LOGDROP
-A FORWARD -m confirmed ERROR: UNKNOWN CONNMARK MATCH MODE -j ACCEPT
-A FORWARD -m state --state RELATED -j CONFIRMED
-A FORWARD -j SPOOFING_PROTECTION
-A FORWARD -j PSD_MATCH
-A FORWARD -j SANITY_CHECKS
-A FORWARD -j AUTO_FORWARD
-A FORWARD -j USR_FORWARD
-A FORWARD -j LOGDROP
-A INVALID_PKT -j ULOG --ulog-prefix "INVALID_PKT: " --ulog-cprange 40
--ulog-qthreshold 50
-A INVALID_PKT -j DROP
-A LOGACCEPT -j ULOG --ulog-prefix "ACCEPT: " --ulog-cprange 40
--ulog-qthreshold 50
-A LOGACCEPT -j CONFIRMED
-A LOGDROP -j ULOG --ulog-prefix "DROP: " --ulog-cprange 40
--ulog-qthreshold 50
-A LOGDROP -j DROP
-A LOGREJECT -j ULOG --ulog-prefix "REJECT: " --ulog-cprange 40
--ulog-qthreshold 50
-A LOGREJECT -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m confirmed ERROR: UNKNOWN CONNMARK MATCH MODE -j ACCEPT
-A OUTPUT -m state --state RELATED -j CONFIRMED
-A OUTPUT -j HA
-A OUTPUT -j SANITY_CHECKS
-A OUTPUT -j AUTO_OUTPUT
-A OUTPUT -j USR_OUTPUT
-A OUTPUT -j LOGDROP
-A PSD_ACTION -j ULOG --ulog-prefix "PORTSCAN: " --ulog-cprange 40
--ulog-qthreshold 50
-A PSD_ACTION -j DROP
-A PSD_MATCH -m psd --psd-weight-threshold 21 --psd-delay-threshold 300
--psd-lo-ports-weight 3 --psd-hi-ports-weight 1 -j PSD_ACTION
-A SANITY_CHECKS -p tcp -m tcp --sport 21 --dport 1:65535 --tcp-flags
SYN,RST,ACK RST -m state --state INVALID -j ACCEPT
-A SANITY_CHECKS -p tcp -m state --state NEW -j STRICT_TCP_STATE
-A SANITY_CHECKS -p tcp -m tcp --sport 1:65535 --dport 21 -m state
--state INVALID -j REJECT --reject-with tcp-reset
-A SANITY_CHECKS -p tcp -m state --state INVALID -j INVALID_PKT
-A SPOOFING_PROTECTION -s 192.168.2.5 -i eth0 -j SPOOF_DROP
-A SPOOFING_PROTECTION -d 192.168.2.5 -i ! eth0 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 192.168.1.0/255.255.255.0 -i eth0 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 69.20.153.128/255.255.255.240 -i eth0 -j
SPOOF_DROP
-A SPOOFING_PROTECTION -s 192.168.1.1 -i eth1 -j SPOOF_DROP
-A SPOOFING_PROTECTION -d 192.168.1.1 -i ! eth1 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 192.168.2.0/255.255.255.0 -i eth1 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 69.20.153.128/255.255.255.240 -i eth1 -j
SPOOF_DROP
-A SPOOFING_PROTECTION -s 69.20.153.137 -i eth2 -j SPOOF_DROP
-A SPOOFING_PROTECTION -d 69.20.153.137 -i ! eth2 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 192.168.2.0/255.255.255.0 -i eth2 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 192.168.1.0/255.255.255.0 -i eth2 -j SPOOF_DROP
-A SPOOF_DROP -j ULOG --ulog-prefix "IP-SPOOFING DROP: " --ulog-cprange
40 --ulog-qthreshold 50
-A SPOOF_DROP -j DROP
-A STRICT_TCP_STATE -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN
-A STRICT_TCP_STATE -p tcp -j INVALID_PKT
-A STRICT_TCP_STATE -p tcp -j DROP
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 80 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 20:21 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 21 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 443 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1:65535 --dport 110 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1:65535 --dport 25 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 23 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.100 -p tcp -m
tcp --sport 1024:65535 --dport 143 -j CONFIRMED
-A USR_FORWARD -p tcp -m tcp --sport 1:65535 --dport 53 -j CONFIRMED
-A USR_FORWARD -p udp -m udp --sport 1:65535 --dport 53 -j CONFIRMED
-A USR_FORWARD -d 192.168.1.100 -p tcp -m tcp --sport 1:65535 --dport 25
-j CONFIRMED
-A USR_FORWARD -s 192.168.1.100 -p tcp -m tcp --sport 1:65535 --dport 25
-j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1:65535 --dport 110 -j CONFIRMED
-A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1:65535 --dport 110 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1:65535 --dport 2703 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p udp -m udp --sport
1:65535 --dport 2703 -j CONFIRMED
-A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1:65535 --dport 2703 -j CONFIRMED
-A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p udp -m udp --sport
1:65535 --dport 2703 -j CONFIRMED
-A USR_FORWARD -d 192.168.1.100 -p tcp -m tcp --sport 1024:65535 --dport
143 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.100 -p tcp -m tcp --sport 1024:65535 --dport
143 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 80 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 20:21 -j CONFIRMED
-A USR_FORWARD -d 192.168.1.110 -p tcp -m tcp --sport 1024:65535 --dport
80 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 443 -j CONFIRMED
-A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 443 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --dport 22 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 25 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 10000 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 10000 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1024:65535 --dport 80 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 8000:8999 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 8000:8999 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 5500:5502 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 5500:5502 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 3306 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 3306 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.105 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.105 -p udp -m udp --sport 1:65535 --dport
4444 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 3001:3305 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 3001:3305 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 4441 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 4441 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
4242 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
4242 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
4441 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
4441 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 2100:2702 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 2100:2702 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 3307:3999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 3307:3999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 1024:2099 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 1024:2099 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 2704:2999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 2704:2999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 3001:3305 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 3001:3305 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 4441 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 4441 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
4242 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
4242 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
4441 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
4441 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 2100:2702 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 2100:2702 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 3307:3999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 3307:3999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 1024:2099 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 1024:2099 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 2704:2999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 2704:2999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -p tcp -m tcp --sport 123 --dport 123 -j CONFIRMED
-A USR_FORWARD -p udp -m udp --sport 123 --dport 123 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.2.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 2049 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.2.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 2049 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 2049 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 2049 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 514 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 514 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 5000 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 5000 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 514 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1024:65535 --dport 389 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1024:65535 --dport 389 -j CONFIRMED
-A USR_INPUT -d 192.168.2.255 -j DROP
-A USR_INPUT -d 192.168.1.255 -j DROP
-A USR_INPUT -d 255.255.255.255 -j DROP
COMMIT
# Completed on Fri Jul 21 01:30:07 2006
ip addr --->
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:01:02:66:65:9a brd ff:ff:ff:ff:ff:ff
inet 192.168.2.5/24 brd 192.168.2.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:08:c7:5b:26:09 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:50:8b:0e:07:a2 brd ff:ff:ff:ff:ff:ff
inet 69.20.153.137/28 brd 69.20.153.143 scope global eth2
********* end
ifconfig -a ----->
eth0 Link encap:Ethernet HWaddr 00:01:02:66:65:9A
inet addr:192.168.2.5 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:43248768 errors:4 dropped:0 overruns:0 frame:4
TX packets:35972974 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3994495514 (3809.4 Mb) TX bytes:2463271557 (2349.1 Mb)
Interrupt:169 Base address:0xdc00
eth1 Link encap:Ethernet HWaddr 00:08:C7:5B:26:09
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6956097 errors:0 dropped:0 overruns:0 frame:0
TX packets:10514182 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:111359643 (106.2 Mb) TX bytes:2215921769 (2113.2 Mb)
eth2 Link encap:Ethernet HWaddr 00:50:8B:0E:07:A2
inet addr:69.20.153.137 Bcast:69.20.153.143 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:30327796 errors:0 dropped:0 overruns:0 frame:0
TX packets:32818577 errors:0 dropped:0 overruns:0 carrier:0
collisions:294358 txqueuelen:1000
RX bytes:2949179609 (2812.5 Mb) TX bytes:1976098120 (1884.5 Mb)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:6116295 errors:0 dropped:0 overruns:0 frame:0
TX packets:6116295 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1516135054 (1445.8 Mb) TX bytes:1516135054 (1445.8 Mb)
*************end
The purpose of listing my current config was to give anyone else an idea
of what i am now using (like to suggest just a iptables based solution
vs a larger cisco pix box, of witch would be over kill for my use) I
would like to switch to a different one but I would like some opinions
of what you have used and are happy with Vs getting a beta and having
security breaches, or if you could help me fix this one I would be very
appreciative.
Chris
--
# Jesse Molina
# Mail = jesse@opendreams.net
# Page = page-jesse@opendreams.net
# Cell = 1.602.323.7608
# Web = http://www.opendreams.net/jesse/
Reply to:
- References:
- Firewall
- From: Chris Davies <davichri@cd-tech.biz>
- Re: Firewall
- From: Jesse Molina <jesse@opendreams.net>
- Re: Firewall
- From: Chris Davies <davichri@cd-tech.biz>