Re: Firewall: Need Advice
07-02-2004 Cumartesi günü saat 22:42 sularında, SLeiBt dedi ki:
> Le sam 07/02/2004 à 14:10, E&Erdem a écrit :
> > 07-02-2004 - 14:01 SLeiBt:
> > Here is my /etc/init.d/iptables file. I could't understand it.
> >
> > And when i try /etc/init.d/iptables save active it gives an error:
> > There is no file or directory /var/lib/iptables/active
> >
> > "Savinging iptables ruleset: save "active" with
> > counters/etc/init.d/iptables: line 66: /var/lib/iptables/active"
>
> On the surface, it looks like mine... But I discovered that on one of my
> machines (one which doesn't act as a firewall), I could get that same
> type of error (although it says line 65 for some reason). On that
> machine, there is no "iptables" directory in /var/lib.
>
> I'd say this should be created when installing whatever packet iptables
> is in, but well. mkdir /var/lib/iptables and you should be in business.
>
> I'd say this directory would be ok being owned by root & with 700
> rights.
I created /var/lib/iptables with 0700 rights and owned by root. Then
/etc/init.d/iptables save active && /etc/init.d/iptables restart. It
looks ok: Loading iptables ruleset: load "active".
But i want to be sure my rulesets (that Debian did as default). If
anybody has time for look at this... I know, this is a lazy way, i have
to read iptables documents much more and i'll. But until i'll read and
learn i don't want to feel unsecure.
>
> Regards,
Thanks...
>
> Sebastien
>
> PS: about this directory being missing... Anybody thinks I should fill a
> smallish bug for that? Running unstable with numerous upgrades almost
> each day...
>
--
__________________________________________________________________
E&Erdem
------------------------------------------------------------------
Chain INPUT (policy DROP)
target prot opt source destination
UNCLEAN all -- anywhere anywhere unclean
ACCEPT tcp -- ns1.ttnet.net.tr anywhere tcp flags:!SYN,RST,ACK/SYN
ACCEPT udp -- ns1.ttnet.net.tr anywhere
ACCEPT tcp -- ist-dnssrv.ttnet.net.tr anywhere tcp flags:!SYN,RST,ACK/SYN
ACCEPT udp -- ist-dnssrv.ttnet.net.tr anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere 195.174.0.0/16 limit: avg 10/sec burst 5
LD all -- anywhere anywhere state INVALID
LD all -f anywhere anywhere limit: avg 10/min burst 5
ACCEPT all -- 192.168.0.0/24 anywhere
LD all -- 0.0.0.0/8 195.174.0.0/16
LD all -- 1.0.0.0/8 195.174.0.0/16
LD all -- 2.0.0.0/8 195.174.0.0/16
LD all -- 5.0.0.0/8 195.174.0.0/16
LD all -- 7.0.0.0/8 195.174.0.0/16
LD all -- 10.0.0.0/8 195.174.0.0/16
LD all -- 23.0.0.0/8 195.174.0.0/16
LD all -- 27.0.0.0/8 195.174.0.0/16
LD all -- 31.0.0.0/8 195.174.0.0/16
LD all -- 36.0.0.0/8 195.174.0.0/16
LD all -- 37.0.0.0/8 195.174.0.0/16
LD all -- 39.0.0.0/8 195.174.0.0/16
LD all -- 41.0.0.0/8 195.174.0.0/16
LD all -- 42.0.0.0/8 195.174.0.0/16
LD all -- 49.0.0.0/8 195.174.0.0/16
LD all -- 50.0.0.0/8 195.174.0.0/16
LD all -- 58.0.0.0/8 195.174.0.0/16
LD all -- 59.0.0.0/8 195.174.0.0/16
LD all -- 70.0.0.0/8 195.174.0.0/16
LD all -- 71.0.0.0/8 195.174.0.0/16
LD all -- 72.0.0.0/8 195.174.0.0/16
LD all -- 73.0.0.0/8 195.174.0.0/16
LD all -- 74.0.0.0/8 195.174.0.0/16
LD all -- 75.0.0.0/8 195.174.0.0/16
LD all -- 76.0.0.0/8 195.174.0.0/16
LD all -- 77.0.0.0/8 195.174.0.0/16
LD all -- 78.0.0.0/8 195.174.0.0/16
LD all -- 79.0.0.0/8 195.174.0.0/16
LD all -- 83.0.0.0/8 195.174.0.0/16
LD all -- 84.0.0.0/8 195.174.0.0/16
LD all -- 85.0.0.0/8 195.174.0.0/16
LD all -- 86.0.0.0/8 195.174.0.0/16
LD all -- 87.0.0.0/8 195.174.0.0/16
LD all -- 88.0.0.0/8 195.174.0.0/16
LD all -- 89.0.0.0/8 195.174.0.0/16
LD all -- 90.0.0.0/8 195.174.0.0/16
LD all -- 91.0.0.0/8 195.174.0.0/16
LD all -- 92.0.0.0/8 195.174.0.0/16
LD all -- 93.0.0.0/8 195.174.0.0/16
LD all -- 94.0.0.0/8 195.174.0.0/16
LD all -- 95.0.0.0/8 195.174.0.0/16
LD all -- 96.0.0.0/8 195.174.0.0/16
LD all -- 97.0.0.0/8 195.174.0.0/16
LD all -- 98.0.0.0/8 195.174.0.0/16
LD all -- 99.0.0.0/8 195.174.0.0/16
LD all -- 100.0.0.0/8 195.174.0.0/16
LD all -- 101.0.0.0/8 195.174.0.0/16
LD all -- 102.0.0.0/8 195.174.0.0/16
LD all -- 103.0.0.0/8 195.174.0.0/16
LD all -- 104.0.0.0/8 195.174.0.0/16
LD all -- 105.0.0.0/8 195.174.0.0/16
LD all -- 106.0.0.0/8 195.174.0.0/16
LD all -- 107.0.0.0/8 195.174.0.0/16
LD all -- 108.0.0.0/8 195.174.0.0/16
LD all -- 109.0.0.0/8 195.174.0.0/16
LD all -- 110.0.0.0/8 195.174.0.0/16
LD all -- 111.0.0.0/8 195.174.0.0/16
LD all -- 112.0.0.0/8 195.174.0.0/16
LD all -- 113.0.0.0/8 195.174.0.0/16
LD all -- 114.0.0.0/8 195.174.0.0/16
LD all -- 115.0.0.0/8 195.174.0.0/16
LD all -- 116.0.0.0/8 195.174.0.0/16
LD all -- 117.0.0.0/8 195.174.0.0/16
LD all -- 118.0.0.0/8 195.174.0.0/16
LD all -- 119.0.0.0/8 195.174.0.0/16
LD all -- 120.0.0.0/8 195.174.0.0/16
LD all -- 121.0.0.0/8 195.174.0.0/16
LD all -- 122.0.0.0/8 195.174.0.0/16
LD all -- 123.0.0.0/8 195.174.0.0/16
LD all -- 124.0.0.0/8 195.174.0.0/16
LD all -- 125.0.0.0/8 195.174.0.0/16
LD all -- 126.0.0.0/8 195.174.0.0/16
LD all -- 127.0.0.0/8 195.174.0.0/16
LD all -- 169.254.0.0/16 195.174.0.0/16
LD all -- 172.16.0.0/12 195.174.0.0/16
LD all -- 173.0.0.0/8 195.174.0.0/16
LD all -- 174.0.0.0/8 195.174.0.0/16
LD all -- 175.0.0.0/8 195.174.0.0/16
LD all -- 176.0.0.0/8 195.174.0.0/16
LD all -- 177.0.0.0/8 195.174.0.0/16
LD all -- 178.0.0.0/8 195.174.0.0/16
LD all -- 179.0.0.0/8 195.174.0.0/16
LD all -- 180.0.0.0/8 195.174.0.0/16
LD all -- 181.0.0.0/8 195.174.0.0/16
LD all -- 182.0.0.0/8 195.174.0.0/16
LD all -- 183.0.0.0/8 195.174.0.0/16
LD all -- 184.0.0.0/8 195.174.0.0/16
LD all -- 185.0.0.0/8 195.174.0.0/16
LD all -- 186.0.0.0/8 195.174.0.0/16
LD all -- 187.0.0.0/8 195.174.0.0/16
LD all -- 189.0.0.0/8 195.174.0.0/16
LD all -- 190.0.0.0/8 195.174.0.0/16
LD all -- 192.0.2.0/24 195.174.0.0/16
LD all -- 192.168.0.0/16 195.174.0.0/16
LD all -- 197.0.0.0/8 195.174.0.0/16
LD all -- 198.18.0.0/15 195.174.0.0/16
LD all -- 223.0.0.0/8 195.174.0.0/16
LD all -- BASE-ADDRESS.MCAST.NET/3 195.174.0.0/16
LD tcp -- anywhere 195.174.0.0/16 tcp dpt:31337 limit: avg 2/min burst 5
LD udp -- anywhere 195.174.0.0/16 limit: avg 2/min burst 5 udp dpt:31337
LD tcp -- anywhere 195.174.0.0/16 tcp dpt:33270 limit: avg 2/min burst 5
LD udp -- anywhere 195.174.0.0/16 limit: avg 2/min burst 5 udp dpt:33270
LD tcp -- anywhere 195.174.0.0/16 tcp dpt:1234 limit: avg 2/min burst 5
LD tcp -- anywhere 195.174.0.0/16 tcp dpt:6711 limit: avg 2/min burst 5
LD tcp -- anywhere 195.174.0.0/16 tcp dpt:16660 flags:SYN,RST,ACK/SYN limit: avg 2/min burst 5
LD tcp -- anywhere 195.174.0.0/16 tcp dpt:60001 flags:SYN,RST,ACK/SYN limit: avg 2/min burst 5
LD tcp -- anywhere 195.174.0.0/16 tcp dpts:12345:12346 limit: avg 2/min burst 5
LD udp -- anywhere 195.174.0.0/16 limit: avg 2/min burst 5 udp dpts:12345:12346
LD tcp -- anywhere 195.174.0.0/16 tcp dpt:135 limit: avg 2/min burst 5
LD udp -- anywhere 195.174.0.0/16 limit: avg 2/min burst 5 udp dpt:135
LD tcp -- anywhere 195.174.0.0/16 tcp dpt:ingreslock limit: avg 2/min burst 5
LD tcp -- anywhere 195.174.0.0/16 tcp dpt:27665 limit: avg 2/min burst 5
LD udp -- anywhere 195.174.0.0/16 limit: avg 2/min burst 5 udp dpt:27444
LD udp -- anywhere 195.174.0.0/16 limit: avg 2/min burst 5 udp dpt:31335
LD all -- BASE-ADDRESS.MCAST.NET/8 anywhere
LD all -- anywhere BASE-ADDRESS.MCAST.NET/8
LD all -- 255.255.255.255 anywhere
LD all -- anywhere 0.0.0.0
DROP all -- 10.0.0.255 anywhere
DROP all -- 0.0.0.0 anywhere
DROP all -- anywhere 255.255.255.255
DROP all -- anywhere 0.0.0.0
LD all -- anywhere anywhere state INVALID
LD all -f anywhere anywhere limit: avg 10/min burst 5
ACCEPT tcp -- anywhere anywhere tcp dpts:bootps:bootpc
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
LD tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
STATE tcp -- anywhere 195.174.0.0/16 tcp dpts:1024:65535
ACCEPT udp -- anywhere 195.174.0.0/16 udp dpts:1023:65535
LD all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
UNCLEAN all -- anywhere anywhere unclean
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT all -- 192.168.0.0/24 anywhere
ACCEPT all -- anywhere 192.168.0.0/24
Chain OUTPUT (policy DROP)
target prot opt source destination
UNCLEAN all -- anywhere anywhere unclean
ACCEPT all -- anywhere anywhere
ACCEPT all -- 192.168.0.0/24 anywhere
ACCEPT icmp -- 192.168.0.0/24 anywhere
LD tcp -- 195.174.0.0/16 anywhere tcp dpt:31337 limit: avg 2/min burst 5
LD udp -- 195.174.0.0/16 anywhere limit: avg 2/min burst 5 udp dpt:31337
LD tcp -- 195.174.0.0/16 anywhere tcp dpt:33270 limit: avg 2/min burst 5
LD udp -- 195.174.0.0/16 anywhere limit: avg 2/min burst 5 udp dpt:33270
LD tcp -- 195.174.0.0/16 anywhere tcp dpt:1234 limit: avg 2/min burst 5
LD tcp -- 195.174.0.0/16 anywhere tcp dpt:6711 limit: avg 2/min burst 5
LD tcp -- 195.174.0.0/16 anywhere tcp dpt:16660 flags:SYN,RST,ACK/SYN limit: avg 2/min burst 5
LD tcp -- 195.174.0.0/16 anywhere tcp dpt:60001 flags:SYN,RST,ACK/SYN limit: avg 2/min burst 5
LD tcp -- 195.174.0.0/16 anywhere tcp dpts:12345:12346 limit: avg 2/min burst 5
LD udp -- 195.174.0.0/16 anywhere limit: avg 2/min burst 5 udp dpts:12345:12346
LD tcp -- 195.174.0.0/16 anywhere tcp dpt:135 limit: avg 2/min burst 5
LD udp -- 195.174.0.0/16 anywhere limit: avg 2/min burst 5 udp dpt:135
LD tcp -- 195.174.0.0/16 anywhere tcp dpt:ingreslock limit: avg 2/min burst 5
LD tcp -- 195.174.0.0/16 anywhere tcp dpt:27665 limit: avg 2/min burst 5
LD udp -- 195.174.0.0/16 anywhere limit: avg 2/min burst 5 udp dpt:27444
LD udp -- 195.174.0.0/16 anywhere limit: avg 2/min burst 5 udp dpt:31335
LD all -- BASE-ADDRESS.MCAST.NET/8 anywhere
LD all -- anywhere BASE-ADDRESS.MCAST.NET/8
LD all -- 255.255.255.255 anywhere
LD all -- anywhere 0.0.0.0
DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
all -- anywhere anywhere TTL match TTL == 64
ACCEPT icmp -- 195.174.0.0/16 anywhere
ACCEPT all -- anywhere anywhere
Chain LD (148 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning
DROP all -- anywhere anywhere
Chain SANITY (0 references)
target prot opt source destination
LD all -- anywhere anywhere
Chain STATE (1 references)
target prot opt source destination
LD all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LD all -- anywhere anywhere
Chain UNCLEAN (3 references)
target prot opt source destination
LD all -- anywhere anywhere
Reply to: